Logstash saving to two different indexes at the same time

Elastic Stack Logstash
1

Hi,

I'd like to request some help with logstash, currently I'm trying to use it as a rsyslog gatherer, basically I've got this setup:

Devices Reporting to RSYSLOG
RSYSLOG sending the logs to Logstash as JSON
Logstash sending the data to ElasticSearch

It's working, but I noticed that by default it saved the data with the following index:

logstash-DATE

Where Date is the current day, I wanted to change this so all the logs from Rsyslog are saved using the index "syslog-infr-DATE" so I basically used this code to achieve it:

input {
  udp {
    host => "127.0.0.1"
    port => "10514"
    codec => "json"
    type => "rsyslog"
  }
}

output {
  if [type] == "rsyslog" {
    elasticsearch {
      hosts => [ "172.16.0.4:9200" ]
      index => "syslog-infr-%{+YYYY.MM.dd}"
    }
  }
}

It worked, it's saving it now with the index syslog-infr-DATE, but, at the same time it keeps saving the same records in parallel to the old index. So I basically have the same data in two indexes:

syslog-infr-DATE
logstash-DATE

I don't know how to avoid this happening, my setup is basically using default values (in Logstash, Kibana and Elasticsearch) except for the IP addresses I changed (where to listen) and that configuration I just showed.

I'm using v5 of the ELK stack.

Thank you for any help in advance.

2

Please show your entire config, it will help diagnose the problem.

Also we’ve renamed ELK to the Elastic Stack, otherwise Beats and APM feel left out! :wink:

3

Hi,

Thank you for the reply. I found out what was happening, I basically left some configuration that I was testing around and didn't notice, my bad.

And I'll sure remember not to call it the "ELK stack" again haha.

Thank you.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.