Multiple different outputs

JohnM · August 28, 2019, 5:28am

We are running logstash to collect syslog and forwarding to ES cluster now which is working fine.

/etc/logstash/conf.d/5-listen.conf

input {
    udp {
            port => 514
            type => syslog
    }
    tcp {
            port => 514
            type => syslog
    }
}

/etc/logstash/conf.d/10-syslog.conf

filter {
    if [severity]   == 7 {
            drop {}
    }
    mutate {
      strip   => "message"
}

    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      add_tag => [ "syslog"]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }

    syslog_pri { }
}

output {
 elasticsearch {
hosts => ["172.17.40.83:9200","172.17.47.33:9200"]
manage_template => false
index => "logstash-infra-%{+YYYY.MM.dd}"
 }
}

Now I want to filter asterisk log and send it to the different ES server.
so I added
/etc/logstash/conf.d/7-asterisk.conf

filter {
    mutate {
            strip   => "message"
    }

    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %   {SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %   {GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      add_tag => [ "syslog"]
    }
                            if [system_program] not in ["asterisk"] {
                                    drop{}
                            }else{
                                    date {
                                            match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
                                    }
    syslog_pri { }
                            }
}
output {
  elasticsearch {
  hosts => ["172.17.47.35:9200"]
  manage_template => false
   index => "logstash-asterisk-%{+YYYY.MM.dd}"
 }
}

But 7-asterisk.conf doesn't pickup "if program is astrisk" condition and once it dropped it won't go and read next 10-syslog.conf.
How do you filter and select output distination in general?
Thanks for your help in advance.

Badger · August 28, 2019, 12:05pm

Once you have dropped the event it is gone. It is not going to be passed to any other filters. If you want to make the output conditional then you can use a conditional in the output section

if [system_program] in ["asterisk"]

This probably does not do what you want it to do. in does not match single element arrays. If you want to test whether [system_program] is equal to the string "asterisk" then use

if [system_program] == "asterisk"

If you want to test whether it is a substring (so that "eri" would match) then use in

if [system_program] in "asterisk"

If the [asterisk] field is an array and you want to test whether the value of [system_program] is one of the members of the array then use

if [system_program] in [asterisk]

If you want to test whether the value of [system_program] is one of a set of more than one values then use

if [system_program] in [ "foo", "bar" ]

JohnM · August 28, 2019, 11:58pm

Thanks Badger I could manage it. Below works well.

filter {
    if [severity]   == 7 {
            drop {}
    }
    mutate {
            strip   => "message"
    }

    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      add_tag => [ "syslog"]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }

    syslog_pri { }
}

output {
    if [syslog_program] in [ "kamailio", "/usr/sbin/kamailio", "asterisk", "kamctl" ] 
   {
            elasticsearch {
                    hosts => ["172.17.47.111:9200"]
                    manage_template => false
                    index => "logstash-voice-%{+YYYY.MM.dd}"
            }
    } else {
            elasticsearch {
                    hosts => ["172.17.40.123:9200","172.17.47.123:9200"]
                    manage_template => false
                    index => "logstash-infra-%{+YYYY.MM.dd}"
            }
   }
}

system · September 25, 2019, 11:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple output in logstash config, pls help! Logstash	7	4098	December 20, 2016
Filter multiple logs from same file to different index Logstash	2	575	June 23, 2020
Different inputs logs with logstash Logstash	7	5084	August 10, 2017
Logstash parsing syslog to different indices depending on source hosts Logstash	6	5282	August 8, 2017
Distinguish between syslog inputs Logstash	5	2588	May 25, 2017

Multiple different outputs

Related topics