i recently changed my LogStash configuration from multiple pipelines input to 3 pipelines, relaying on another local pipelines with distributor.
Now, i've tried to send and udp json to the udp pipeline, with the tag "localadmin" as u see in my configuration. The log arrives on the logstash node, but it seems that something doesnt work, as the data were not indexed on the elastic cluster.
You do not have json filter in the udp pipeline nor are you using the json codec in the input, so your message is not being parsed and there is no type field to be filtered.
No, you need to parse the message in the first pipeline that is receiving it, which is the one with the udp input.
You are using a field from the message to do the filtering, so if you do not parse it, you do not have the field to filter in your message and your output will not work correctly.
Just understood my mistake, if logstash doesnt know the tipe of the data that comes, it can't sort by tags and send to other pipelines.
The goal was to have fewer listening ports as possible on that node.
I don't think that the pipeline input has the codec option, it seems to have only the send_to and address options.
You will need to filter for some string in the message since you can't parse the message.
Something like this:
input {
upd {
port => 514
}
}
output {
if "localadmin" in [message] {
pipeline { send_to => localadmin }
} else if "passwordsyncrhonizer" in [message] {
pipeline { send_to => passwordsynchronizer }
} other else if conditions
}
I would also suggest that you use pipelines.yml to only point to the configs, and have the configs in separated files.
For example, create a udp.conf file with the udp pipeline and just point to this file in the pipelines.yml file, having the configurations in the pipelines.yml can lead to confusion and mistake if your configuration grows.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.