LS - elasticsearch output conditionals

dustin.liddick · February 1, 2016, 2:11pm

hello:

I am having some issues with my LS output conditionals for elasticsearch. I have the following below as my output filter. However when I run a '--configtest' on it, it fails...I am wondering if I have my syntax wrong, as i want to send filter output based on "tags". Also, LS started to fail to create indicies on ES...I am not sure why that started? Is that permissions on ES? I see no errors in logs

output {
if [type] == "syslog" {
elasticsearch {
hosts => [ "ceelkestb-ob-8p:9200", "ceelkesdn-ob-1p:9200", "ceelkesdn-ob-3p:9200", "ceelkesdn-ob-4p:9200", "ceelkesdn-ob-5p:9200", "ceelkesdn-ob-7p:9200" ]
index => "redhat-%{+YYYY.MM.dd}"
flush_size => 1000
workers => 4
manage_template => true
template_overwrite => true
template => "/opt/logstash/lib/logstash/outputs/elasticsearch/elasticsearch-redhat-template.json"
}
}
elseif [type] == "eventlog" {
elasticsearch {
hosts => [ "ceelkestb-ob-8p:9200", "ceelkesdn-ob-1p:9200", "ceelkesdn-ob-3p:9200", "ceelkesdn-ob-4p:9200", "ceelkesdn-ob-5p:9200", "ceelkesdn-ob-7p:9200" ]
index => "eventlog-%{+YYYY.MM.dd}"
workers => 4
manage_template => true
template_overwrite => true
template => "/opt/logstash/lib/logstash/outputs/elasticsearch/elasticsearch-eventlog-template.json"
}
}
elseif [type] == "cisco-asa" {
elasticsearch {
hosts => [ "ceelkestb-ob-8p:9200", "ceelkesdn-ob-1p:9200", "ceelkesdn-ob-3p:9200", "ceelkesdn-ob-4p:9200", "ceelkesdn-ob-5p:9200", "ceelkesdn-ob-7p:9200" ]
index => "cisco-asa-%{+YYYY.MM.dd}"
flush_size => 1000
workers => 4
manage_template => true
template_overwrite => true
template => "/opt/logstash/lib/logstash/outputs/elasticsearch/elasticsearch-cisco-asa-template.json"
}
}
else {
elasticsearch {
hosts => [ "ceelkestb-ob-8p:9200", "ceelkesdn-ob-1p:9200", "ceelkesdn-ob-3p:9200", "ceelkesdn-ob-4p:9200", "ceelkesdn-ob-5p:9200", "ceelkesdn-ob-7p:9200" ]
flush_size => 2000
workers => 1
#manage_template => true
#template => "/opt/logstash/lib/logstash/outputs/elasticsearch/elasticsearch-template.json"
}

}

magnusbaeck · February 1, 2016, 5:38pm

Looks okay to me. What's the error message from --configtest?

dustin.liddick · February 1, 2016, 6:06pm

After running the config test, it seems to be checking out fine. I honestly have no clue what I did to change. According the last '--configtest' that I ran, it showed I had almost like a commenting issue with a bracket around line 17...but not sure what I did to fix, but just ran a test again, and it passed. I then added this config to LS output and restarted...And it seemed like it has created the proper indexes.

Thanks again for taking the time out of your day and looking into this. If I come across anything additional about this error, Ill be sure to add it.