Logstash with multiple input and output

ck_7 · December 3, 2020, 2:39pm

Help me to understand the below logstash config. Trying to configure multiples input and output but index shows only one.

Here my config:
There is no Error: logstash runs but no index name for the storage. only network logs works

input {
tcp {
port => 5514
codec => plain
tags => network
}
}
input {
tcp {
port => 5515
codec => plain
tags => storage
}
}
filter {
if "network" in [tags] {
mutate {
add_field => { "hostname" => "%{host}" }
}
dns {
action => "replace"
reverse => [ "hostname" ]
add_tag => [ "dns_lookup" ]
}
}
else if "storage" in [tags] {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
if "network" in [tags] {
elasticsearch { hosts => ["https://elk-logging.XXXXXX.net:9200"]
cacert => '/etc/logstash/certs/xxxxxxxxxx.crt'
user => "elastic"
password => "XXXXXXXXXX"
index => "network-syslog" }
stdout { codec => rubydebug }
}
else if "storage" in [tags] {
elasticsearch { hosts => ["https://elk-logging.XXXXXXX.net:9200"]
cacert => '/etc/logstash/certs/xxxxxxxx.crt'
user => "elastic"
password => "XXXXXXXX"
index => "storage-syslog" }
stdout { codec => rubydebug }
}
}

aaron-nimocks · December 3, 2020, 2:57pm

Think it's just ignoring your second input block. I've never tried to add 2 input blocks and would think that would throw an error. Try below and let me know if it works.

input {
 tcp {
  port => 5514
  codec => plain
  tags => network
 }
 tcp {
  port => 5515
  codec => plain
  tags => storage
 }
}

ck_7 · December 3, 2020, 3:12pm

Thanks for the quick reply. That was so fast.
Modified the config but no use still the same .. Receiving logs from the network but not Storage.

aaron-nimocks · December 3, 2020, 3:18pm

Next I'd try to just verify data coming in using something like below.

input {
 tcp {
  port => 5515
  codec => plain
  tags => storage
 }
}
output {
 stdout { codec => rubydebug }
}

ck_7 · December 3, 2020, 3:18pm

Sorry Aaron,
configured with rsyslog in one VM. logs are redirected to 5515 port with storage. its worked need to check real storage devices.

Thanks for the Quick reply .. You saved my day.

My Storage sending Syslog info using UDP by default. same configured with input with UDP port 5515.

Final input

input {
tcp {
port => 5514
codec => plain
tags => network
}
udp {
port => 5514
codec => plain
tags => network
}
tcp {
port => 5515
codec => plain
tags => storage
}
udp{
port => 5515
codec => plain
tags => storage
}
}

system · December 31, 2020, 3:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.