Multipipeline configuration

How can I create a pipeline configuration in Logstash for two different logs that I'm receiving from syslog, the syslog auditd log and the web server log, and separate them to get different outputs? I have tried using an if-else condition based on the syslog_facility field, like follow :

filter {
  if [syslog_facility] == "auth" {
    # filter and parse auditd logs
    grok {
      match => { "message" => "pattern for auditd logs" }
    }
    mutate {
      add_tag => [ "auditd" ]
    }
  }
  if [syslog_facility] == "local0" {
    # filter and parse web server logs
    grok {
      match => { "message" => "pattern for web server logs" }
    }
    mutate {
      add_tag => [ "web" ]
    }
  }
}

But it doesn't work I change the filed to syslog.facility. code == 16 but it was the same thing
Should I create two separate files and configure multiple pipelines in pipeline.yml? If so, how can I get the pipeline id?

If there is not much traffic, keep one conf with few IFs, especially if data is coming to a single port.

Basically, you have the value by which they differ. Since this is syslog you should have the logsource filed or msg format.

Can you show example of data which arrives to LS without modification? Both cases

If you want multiple pipelines configuration, check here.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.