Hi, I am trying to send multiple log files to different ES indices. However, Logstash shuts down due to an error. I am a beginner and I could use some help with the same.
here is my logstash conf file -
input {
beats {
port => 5044
host => "localhost"
}
}
filter{
if "operational" in [tags]
{
csv {
separator => ","
columns => ["record_id","record_type","system_ticks", "system_date", "system_time", "power_on_counter", "aircraft_id", "temperature", "L1_code", "L2_code", "L3_code", "L4_code", "L1_text", "L2_text", "L3_text", "L4_text", "additional_text", "occurrence_count"]
}
}
else if "syslog" in [tags]
{
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri {}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
else if "access" in [tags]
{
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
}
else if "psw-logs" in [tags]
{
csv {
separator => ","
columns => ["Component", "Level", "Thread", "Date", "File", "Function", "Target ID", "Message"]
}
}
else if "audit" or "comm_audit" in [tags]
{
grok {
match => { "message" => "type=%{DATA:audit_type}\smsg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\):.*?( msg=\'(?<sub_msg>.*?)\')?$" }
named_captures_only => true
}
kv {
exclude_keys => [ "msg", "type" ]
}
kv {
source => "sub_msg"
}
date {
match => [ "audit_epoch", "UNIX" ]
}
mutate {
rename => [
"auid", "uid_audit",
"fsuid", "uid_fs",
"suid", "uid_set",
"ses", "session_id"
]
remove_field => ['sub_msg', 'audit_epoch']
}
}
else if "radius" in [tags]
{
grok {
match => { "message" => "%{HTTPDERROR_DATE:date}\s:\s%{LOGLEVEL:log}:%{GREEDYDATA:message}"}
}
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
output {
if "operational" in [tags] {
elasticsearch {
hosts => "http://localhost:9200"
index => "operational logs"
}
stdout {codec => "rubydebug"}
}
else if "access" in [tags] {
elasticsearch {
hosts => "http://localhost:9200"
index => "access logs"
}
stdout {codec => "rubydebug"}
}
else if "psw-logs" in [tags] {
elasticsearch {
hosts => "http://localhost:9200"
index => "psw-logs"
}
stdout {codec => "rubydebug"}
}
else if "audit" or "comm_audit" in [tags] {
elasticsearch {
hosts => "http://localhost:9200"
index => "audit logs"
}
stdout {codec => "rubydebug"}
}
else if "radius" or "detail" in [tags] {
elasticsearch {
hosts => "http://localhost:9200"
index => "radius"
}
stdout {codec => "rubydebug"}
}
}
Thanks in advance for your time