Multipipeline configuration

SaM9 · January 16, 2023, 5:56pm

How can I create a pipeline configuration in Logstash for two different logs that I'm receiving from syslog, the syslog auditd log and the web server log, and separate them to get different outputs? I have tried using an if-else condition based on the syslog_facility field, like follow :

filter {
  if [syslog_facility] == "auth" {
    # filter and parse auditd logs
    grok {
      match => { "message" => "pattern for auditd logs" }
    }
    mutate {
      add_tag => [ "auditd" ]
    }
  }
  if [syslog_facility] == "local0" {
    # filter and parse web server logs
    grok {
      match => { "message" => "pattern for web server logs" }
    }
    mutate {
      add_tag => [ "web" ]
    }
  }
}

But it doesn't work I change the filed to syslog.facility. code == 16 but it was the same thing
Should I create two separate files and configure multiple pipelines in pipeline.yml? If so, how can I get the pipeline id?

Rios · January 18, 2023, 9:55pm

If there is not much traffic, keep one conf with few IFs, especially if data is coming to a single port.

Basically, you have the value by which they differ. Since this is syslog you should have the logsource filed or msg format.

Can you show example of data which arrives to LS without modification? Both cases

If you want multiple pipelines configuration, check here.

system · February 15, 2023, 9:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Questions about DNS filter and multiple pipelines Logstash	2	6	November 22, 2024
Is it better to have one pipeline or multiple pipelines? Logstash	7	2869	October 28, 2021
One Logstash file with multiple logs entries/pipelines Logstash	8	4315	December 22, 2017
Issue with multiple pipelines of Logstash Logstash	1	191	June 29, 2023
Logstash 6 - Multiple Pipelines for One Input Logstash	10	9090	December 16, 2017

Multipipeline configuration

Related topics