Hi All,
I have the below setup on my logstash config.
File name : custom.conf
input {
beats {
port => "5044"
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter
{
grok {
match => [
"message",
"(?<timestamp>\[[0-9]{4}.[0-9]{2}.[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3}\]) \s*\-\s*%{LOGLEVEL:log-level}\s*\-\s* (?<ip>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\s*\,\s*(?<corid>[[A-Z][a-z][0-9]]{11}|[[0-9][a-z]]{8}-[[0-9][a-z]]{4}-[[0-9][a-z]]{4}-[[0-9][a-z]]{4}-[[0-9][a-z]]{12})\s*\,\s*(?<interface>[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}|[A-Z]{3}[0-9]{4}-[A-Z]{2}_[A-Z]{4}|[A-Z]{3}[0-9]{4}[a-z]{1}-[A-Z]{2}_[A-Z]{4}|[A-Z]{3}[0-9]{4}-[A-Z]{2}|[A-Z]{3}[0-9]{4}[a-z]{1}-[A-Z]{2}|[A-Z]{3}[0-9]{4}[a-z]{1}|[a-z]{9})\s*\,\s*(?<sequence>[a-z]{2}_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}_[a-z]*_[a-z]*|[a-z]{2}_[A-Z]{3}[0-9]{4}_[a-z]*_[a-z]*|[a-z]{2}_[A-Z]{3}[0-9]{4}_[[a-z][A-Z]]*|[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}-[0-9]{1}|[a-z]{2}_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}-[0-9]{1}|[a-z]{2}\_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}_[[A-Z][a-z]]*|[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1}|[a-z]{2}_[a-z]{2}_[A-Z]{3}[0-9]{4}[a-z]{1})\s*\,\s*(?<log_point>[0-9]{4})\s*\,\s*%{GREEDYDATA:message_context}"
]
}
}
output {
elasticsearch {
hosts => ["192.168.200.42:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}
This is working as expected. I have added a another config file called stackhealth.conf and added the below content for that/
FIle name : stackhealth.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["192.168.200.42:9200"]
sniffing => true
manage_template => false
index => "syshealth-index"
document_type => "%{[@metadata][type]}"
}
}
After I added bother files to the /etc/logstash/conf.d location still it only processes the custom.conf. How to make both works ?