We are ingesting data from multiple data sources over port 514 and using Logstash to ship them out to multiple destinations. Is there a way to tag ingested data based on source IP so that it can be forwarded to the correct destination?
Something like
input {
udp {
port => 514
source_port => x.x.x.x
tags => "cef"
}
udp {
port => 514
source_port => y.y.y.y.y
tags => "syslog"
}
}
Where the source_port would be the IP of the data source.
It depends on how your message looks like, you can use some string from your message to add tags in the filter block.
filter {
if "something" in [message] {
mutate {
add_tag => ["tag"]
}
}
}
Or you can also parse your message and use a similar condition with the value of specific field, but is not possible to do what you want in the input, there is nothing like that config.
The udp input adds the source ip of the the message to the event, so you can add tags conditional upon that. It does not include the source port.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.