Multiple conf files handling issue in logstash

Dazith_Kj · May 10, 2018, 9:39am

Hi All,

I have the below setup on my logstash config.

File name : custom.conf

input {
    beats {
        port => "5044"
        ssl => true
        ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
        ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
    }
}

filter
{

grok {
    match => [
      "message",
      "(?<timestamp>\[[0-9]{4}.[0-9]{2}.[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3}\]) \s*\-\s*%{LOGLEVEL:log-level}\s*\-\s* (?<ip>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\s*\,\s*(?<corid>[[A-Z][a-z][0-9]]{11}|[[0-9][a-z]]{8}-[[0-9][a-z]]{4}-[[0-9][a-z]]{4}-[[0-9][a-z]]{4}-[[0-9][a-z]]{12})\s*\,\s*(?<interface>[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}|[A-Z]{3}[0-9]{4}-[A-Z]{2}_[A-Z]{4}|[A-Z]{3}[0-9]{4}[a-z]{1}-[A-Z]{2}_[A-Z]{4}|[A-Z]{3}[0-9]{4}-[A-Z]{2}|[A-Z]{3}[0-9]{4}[a-z]{1}-[A-Z]{2}|[A-Z]{3}[0-9]{4}[a-z]{1}|[a-z]{9})\s*\,\s*(?<sequence>[a-z]{2}_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}_[a-z]*_[a-z]*|[a-z]{2}_[A-Z]{3}[0-9]{4}_[a-z]*_[a-z]*|[a-z]{2}_[A-Z]{3}[0-9]{4}_[[a-z][A-Z]]*|[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}-[0-9]{1}|[a-z]{2}_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}-[0-9]{1}|[a-z]{2}\_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}_[[A-Z][a-z]]*|[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}|[a-z]{2}_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1})\s*\,\s*(?<log_point>[0-9]{4})\s*\,\s*%{GREEDYDATA:message_context}"
    ]
  }

}



output {
  elasticsearch {
    hosts => ["192.168.200.42:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  }
}

This is working as expected. I have added a another config file called stackhealth.conf and added the below content for that/

FIle name : stackhealth.conf

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch {
    hosts => ["192.168.200.42:9200"]
    sniffing => true
    manage_template => false
    index => "syshealth-index"
    document_type => "%{[@metadata][type]}"
  }
}

After I added bother files to the /etc/logstash/conf.d location still it only processes the custom.conf. How to make both works ?

ventrca · May 10, 2018, 9:59am

Multiple pipelines is the answer. https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html

For your problem, maybe you are not modifying pipelines.yml?

Dazith_Kj · May 10, 2018, 10:18am

Hi @ventrca.

I am not seeing pipelines.yml in my logstash setup under /etc/logstash/conf.d. Any idea on this ?

ventrca · May 10, 2018, 10:30am

Which version are you using? I have it in logstash/config

Dazith_Kj · May 10, 2018, 10:36am

Below is the log stash version @ventrca

root@localhost:/opt/logstash/bin# ./logstash -V
logstash 2.2.4

I have only two conf files which I have created under /etc/logstash/conf.d

root@localhost:/etc/logstash/conf.d# ls
stackhealth.conf test.conf

ventrca · May 10, 2018, 10:37am

Sorry, I can't help you with this. I'm using the 6.6.2

Dazith_Kj · May 10, 2018, 10:40am

Thanks @ventrca !

magnusbaeck · May 16, 2018, 8:24pm

Multiple pipelines is the answer.

The problem is that you can't have two beats input that listen on the same port. Multiple pipelines won't help there.

Dazith_Kj · May 17, 2018, 10:53am

Thanks @magnusbaeck. Is there any other way to satisfy this requirement ?

magnusbaeck · May 17, 2018, 1:53pm

Is there any other way to satisfy this requirement ?

What requirement? Multiple configuration files?

Dazith_Kj · May 17, 2018, 2:57pm

@magnusbaeck what I need is publish specific data which matches two patterns to two different indexes in ES. If the requirement is not clear please let me know. Ill explain more with a simple example.

darkmoon · May 17, 2018, 7:16pm

Either have your two sources identify them selves (with a custom field, maybe) and use that to route your documents, or you can have two listeners (on different ports) that add the routing data.

You can set a @metadata field with the name of the index you want a document to be indexed to, then use that field in the output block.

system · June 14, 2018, 7:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.