Logstash with multiple input and output

ck_7 · December 3, 2020, 2:39pm

Help me to understand the below logstash config. Trying to configure multiples input and output but index shows only one.

Here my config:
There is no Error: logstash runs but no index name for the storage. only network logs works

input {
tcp {
port => 5514
codec => plain
tags => network
}
}
input {
tcp {
port => 5515
codec => plain
tags => storage
}
}
filter {
if "network" in [tags] {
mutate {
add_field => { "hostname" => "%{host}" }
}
dns {
action => "replace"
reverse => [ "hostname" ]
add_tag => [ "dns_lookup" ]
}
}
else if "storage" in [tags] {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
if "network" in [tags] {
elasticsearch { hosts => ["https://elk-logging.XXXXXX.net:9200"]
cacert => '/etc/logstash/certs/xxxxxxxxxx.crt'
user => "elastic"
password => "XXXXXXXXXX"
index => "network-syslog" }
stdout { codec => rubydebug }
}
else if "storage" in [tags] {
elasticsearch { hosts => ["https://elk-logging.XXXXXXX.net:9200"]
cacert => '/etc/logstash/certs/xxxxxxxx.crt'
user => "elastic"
password => "XXXXXXXX"
index => "storage-syslog" }
stdout { codec => rubydebug }
}
}

aaron-nimocks · December 3, 2020, 2:57pm

Think it's just ignoring your second input block. I've never tried to add 2 input blocks and would think that would throw an error. Try below and let me know if it works.

input {
 tcp {
  port => 5514
  codec => plain
  tags => network
 }
 tcp {
  port => 5515
  codec => plain
  tags => storage
 }
}

ck_7 · December 3, 2020, 3:12pm

Thanks for the quick reply. That was so fast.
Modified the config but no use still the same .. Receiving logs from the network but not Storage.

aaron-nimocks · December 3, 2020, 3:18pm

Next I'd try to just verify data coming in using something like below.

input {
 tcp {
  port => 5515
  codec => plain
  tags => storage
 }
}
output {
 stdout { codec => rubydebug }
}

ck_7 · December 3, 2020, 3:18pm

Sorry Aaron,
configured with rsyslog in one VM. logs are redirected to 5515 port with storage. its worked need to check real storage devices.

Thanks for the Quick reply .. You saved my day.

My Storage sending Syslog info using UDP by default. same configured with input with UDP port 5515.

Final input

input {
tcp {
port => 5514
codec => plain
tags => network
}
udp {
port => 5514
codec => plain
tags => network
}
tcp {
port => 5515
codec => plain
tags => storage
}
udp{
port => 5515
codec => plain
tags => storage
}
}

system · December 31, 2020, 3:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple output in logstash config, pls help! Logstash	7	4098	December 20, 2016
How to create multiple indexs with multiple input in logstash Logstash	8	2912	March 19, 2021
Multiple inputs and outputs in logstash conf file Logstash	12	4478	April 26, 2019
Multiple output options in logstash.conf Logstash	9	7410	January 27, 2021
Multiple inputs and multiple outputs Logstash	4	4828	September 2, 2018

Logstash with multiple input and output

Related topics