Manage different type of logs with logstash

Luca_Padovan · September 25, 2020, 10:48am

I'm trying to managing different type of logs with logstash, but i don't see them in kibana.
logstash pipeline:

input {
	udp {
		port => 5000
		type => "heartbeat"
	}
	udp {
		port => 6000
		type => "startup_shutdown"
	}
}

filter {
	if [type] == "heartbeat" {
		grok {
				match => { "message" => "\[%{NUMBER:opcode:int},%{NUMBER:sender:int},%{NUMBER:alertbitmap:int},%{NUMBER:bat:float},%{NUMBER:ant:int},%{NUMBER:resbat:int},%{NUMBER:temp:float},%{NUMBER:presatm:int},%{NUMBER:umid:int},%{NUMBER:vertical:int},%{NUMBER:analog1:float},%{NUMBER:analog2:float},%{NUMBER:analog3:float},%{NUMBER:analog4:float},%{NUMBER:spostam:int},%{NUMBER:contporta1:int},%{NUMBER:contporta2:int},%{NUMBER:digital1:int},%{NUMBER:digital2:int},%{NUMBER:digital3:int},%{NUMBER:digital4:int},%{NUMBER:time:int}\]" }
		}
	} 
	if [type] == "startup_shutdown" {
		grok {
				match => { "message" => "\[%{NUMBER:opcode:int},%{NUMBER:sender:int},%{NUMBER:time:int}\]" }
		}
	}
}

output {
	elasticsearch {
		hosts => "elasticsearch:9200"
	}
}

How can I solve this problem? thanks in advance.

rugenl · September 26, 2020, 3:04am

You need to create a index pattern in Kibana, did you do that?

Luca_Padovan · September 28, 2020, 7:15am

Yes, I created a unique index pattern in kibana, but i don't see only the UDP messages coming from port 6000, but i see UDP messages from port 5000

rugenl · September 28, 2020, 11:21am

Check logstash and elasticsearch logs for errors

Check firewall rules on logstash, is UDP port 6000 listening and open?

Use tcpdump on the logstash host to ensure that udp 6000 events are arriving

Luca_Padovan · September 28, 2020, 12:05pm

port 6000 was closed, thanks a lot

system · October 26, 2020, 12:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.