Just like many others i am quite new to ELK and have a question.
My logstash recieves syslogs from pfsense firewall.
I crated a grok filter that parses firewall events and extract all needed data from @message, based on tokens position.
Now, i want openvpn logs to be parsed as well, but.. structure of the @message is quite different, so i need to create a new portion of grok, that will mess with openvpn logs.
The question is, how can i create logic, that will search for specific word inside the message and then apply grok filter.
And (!) if word not found - then apply different filter?
- i saw that in previous versions of logstash was grep filter, but it's discontinued for now.. am i right?
** Another thing, that i will be greatly thankful if someone knows is- how can i point directly to specific token inside the message and then bind it to a var. just like tokens\delims thing.
Any suggestion will be highly appreciated!
Thanks in advance!