Multiple conf files handling issue in logstash

Dazith_Kj · May 10, 2018, 9:39am

Hi All,

I have the below setup on my logstash config.

File name : custom.conf

input {
    beats {
        port => "5044"
        ssl => true
        ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
        ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
    }
}

filter
{

grok {
    match => [
      "message",
      "(?<timestamp>\[[0-9]{4}.[0-9]{2}.[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3}\]) \s*\-\s*%{LOGLEVEL:log-level}\s*\-\s* (?<ip>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\s*\,\s*(?<corid>[[A-Z][a-z][0-9]]{11}|[[0-9][a-z]]{8}-[[0-9][a-z]]{4}-[[0-9][a-z]]{4}-[[0-9][a-z]]{4}-[[0-9][a-z]]{12})\s*\,\s*(?<interface>[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}|[A-Z]{3}[0-9]{4}-[A-Z]{2}_[A-Z]{4}|[A-Z]{3}[0-9]{4}[a-z]{1}-[A-Z]{2}_[A-Z]{4}|[A-Z]{3}[0-9]{4}-[A-Z]{2}|[A-Z]{3}[0-9]{4}[a-z]{1}-[A-Z]{2}|[A-Z]{3}[0-9]{4}[a-z]{1}|[a-z]{9})\s*\,\s*(?<sequence>[a-z]{2}_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}_[a-z]*_[a-z]*|[a-z]{2}_[A-Z]{3}[0-9]{4}_[a-z]*_[a-z]*|[a-z]{2}_[A-Z]{3}[0-9]{4}_[[a-z][A-Z]]*|[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}-[0-9]{1}|[a-z]{2}_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}-[0-9]{1}|[a-z]{2}\_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}_[[A-Z][a-z]]*|[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}|[a-z]{2}_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1})\s*\,\s*(?<log_point>[0-9]{4})\s*\,\s*%{GREEDYDATA:message_context}"
    ]
  }

}



output {
  elasticsearch {
    hosts => ["192.168.200.42:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  }
}

This is working as expected. I have added a another config file called stackhealth.conf and added the below content for that/

FIle name : stackhealth.conf

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch {
    hosts => ["192.168.200.42:9200"]
    sniffing => true
    manage_template => false
    index => "syshealth-index"
    document_type => "%{[@metadata][type]}"
  }
}

After I added bother files to the /etc/logstash/conf.d location still it only processes the custom.conf. How to make both works ?

ventrca · May 10, 2018, 9:59am

Multiple pipelines is the answer. https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html

For your problem, maybe you are not modifying pipelines.yml?

Dazith_Kj · May 10, 2018, 10:18am

Hi @ventrca.

I am not seeing pipelines.yml in my logstash setup under /etc/logstash/conf.d. Any idea on this ?

ventrca · May 10, 2018, 10:30am

Which version are you using? I have it in logstash/config

Dazith_Kj · May 10, 2018, 10:36am

Below is the log stash version @ventrca

root@localhost:/opt/logstash/bin# ./logstash -V
logstash 2.2.4

I have only two conf files which I have created under /etc/logstash/conf.d

root@localhost:/etc/logstash/conf.d# ls
stackhealth.conf test.conf

ventrca · May 10, 2018, 10:37am

Sorry, I can't help you with this. I'm using the 6.6.2

Dazith_Kj · May 10, 2018, 10:40am

Thanks @ventrca !

magnusbaeck · May 16, 2018, 8:24pm

Multiple pipelines is the answer.

The problem is that you can't have two beats input that listen on the same port. Multiple pipelines won't help there.

Dazith_Kj · May 17, 2018, 10:53am

Thanks @magnusbaeck. Is there any other way to satisfy this requirement ?

magnusbaeck · May 17, 2018, 1:53pm

Is there any other way to satisfy this requirement ?

What requirement? Multiple configuration files?

Dazith_Kj · May 17, 2018, 2:57pm

@magnusbaeck what I need is publish specific data which matches two patterns to two different indexes in ES. If the requirement is not clear please let me know. Ill explain more with a simple example.

darkmoon · May 17, 2018, 7:16pm

Either have your two sources identify them selves (with a custom field, maybe) and use that to route your documents, or you can have two listeners (on different ports) that add the routing data.

You can set a @metadata field with the name of the index you want a document to be indexed to, then use that field in the output block.

system · June 14, 2018, 7:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple Filebeat prospectors, one filebeat instance, multiple logstash .conf files Logstash	2	785	September 6, 2018
Give logstash two different log files with filebeat but i only get one in Elasticsearch Logstash	7	1141	June 10, 2019
2 grok filter NOT WOERKED ! :\| Logstash	6	1279	December 26, 2017
Issue with Multiple Logstash Conf files Logstash	14	2939	July 5, 2017
Question about multiple conf files Logstash	3	521	March 15, 2017

Multiple conf files handling issue in logstash

Related topics