Multiple different outputs

JohnM · August 28, 2019, 5:28am

We are running logstash to collect syslog and forwarding to ES cluster now which is working fine.

/etc/logstash/conf.d/5-listen.conf

input {
    udp {
            port => 514
            type => syslog
    }
    tcp {
            port => 514
            type => syslog
    }
}

/etc/logstash/conf.d/10-syslog.conf

filter {
    if [severity]   == 7 {
            drop {}
    }
    mutate {
      strip   => "message"
}

    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      add_tag => [ "syslog"]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }

    syslog_pri { }
}

output {
 elasticsearch {
hosts => ["172.17.40.83:9200","172.17.47.33:9200"]
manage_template => false
index => "logstash-infra-%{+YYYY.MM.dd}"
 }
}

Now I want to filter asterisk log and send it to the different ES server.
so I added
/etc/logstash/conf.d/7-asterisk.conf

filter {
    mutate {
            strip   => "message"
    }

    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %   {SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %   {GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      add_tag => [ "syslog"]
    }
                            if [system_program] not in ["asterisk"] {
                                    drop{}
                            }else{
                                    date {
                                            match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
                                    }
    syslog_pri { }
                            }
}
output {
  elasticsearch {
  hosts => ["172.17.47.35:9200"]
  manage_template => false
   index => "logstash-asterisk-%{+YYYY.MM.dd}"
 }
}

But 7-asterisk.conf doesn't pickup "if program is astrisk" condition and once it dropped it won't go and read next 10-syslog.conf.
How do you filter and select output distination in general?
Thanks for your help in advance.

Badger · August 28, 2019, 12:05pm

Once you have dropped the event it is gone. It is not going to be passed to any other filters. If you want to make the output conditional then you can use a conditional in the output section

if [system_program] in ["asterisk"]

This probably does not do what you want it to do. in does not match single element arrays. If you want to test whether [system_program] is equal to the string "asterisk" then use

if [system_program] == "asterisk"

If you want to test whether it is a substring (so that "eri" would match) then use in

if [system_program] in "asterisk"

If the [asterisk] field is an array and you want to test whether the value of [system_program] is one of the members of the array then use

if [system_program] in [asterisk]

If you want to test whether the value of [system_program] is one of a set of more than one values then use

if [system_program] in [ "foo", "bar" ]

JohnM · August 28, 2019, 11:58pm

Thanks Badger I could manage it. Below works well.

filter {
    if [severity]   == 7 {
            drop {}
    }
    mutate {
            strip   => "message"
    }

    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      add_tag => [ "syslog"]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }

    syslog_pri { }
}

output {
    if [syslog_program] in [ "kamailio", "/usr/sbin/kamailio", "asterisk", "kamctl" ] 
   {
            elasticsearch {
                    hosts => ["172.17.47.111:9200"]
                    manage_template => false
                    index => "logstash-voice-%{+YYYY.MM.dd}"
            }
    } else {
            elasticsearch {
                    hosts => ["172.17.40.123:9200","172.17.47.123:9200"]
                    manage_template => false
                    index => "logstash-infra-%{+YYYY.MM.dd}"
            }
   }
}

system · September 25, 2019, 11:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.