How can I create a pipeline configuration in Logstash for two different logs that I'm receiving from syslog, the syslog auditd log and the web server log, and separate them to get different outputs? I have tried using an if-else condition based on the syslog_facility field, like follow :
filter {
if [syslog_facility] == "auth" {
# filter and parse auditd logs
grok {
match => { "message" => "pattern for auditd logs" }
}
mutate {
add_tag => [ "auditd" ]
}
}
if [syslog_facility] == "local0" {
# filter and parse web server logs
grok {
match => { "message" => "pattern for web server logs" }
}
mutate {
add_tag => [ "web" ]
}
}
}
But it doesn't work I change the filed to syslog.facility. code == 16 but it was the same thing
Should I create two separate files and configure multiple pipelines in pipeline.yml? If so, how can I get the pipeline id?