Hi Warkolm,
I have used the conditional hostname and created two filter files inside the logstash configuration directory.
but for some reason logstash does not working with two filter files at a time.
filter configuration for one machine
filter
{
if [host] == "datanode2"
{
if [type] == "log"
{
grok
{
match => [ "message", "%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: %{WORD:authentication}" ]
add_tag => [ "log", "grokked" ]
}
}
if [type] == "log" and [authentication] not in ["Failed","info"]
{
drop{}
}
if [type] == "iisbeat"
{
#ignore log comments
if [message] =~ "^#" {
drop {}
}
grok {
# check that fields match your IIS log settings
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:hostip} %{WORD:method} %{NOTSPACE:page} %{NOTSPACE:query} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientip} %{NOTSPACE:useragent} %{NOTSPACE:referrer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:timetaken}"]
}
}
#Set the Event Timesteamp from the log
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UTC"
}
useragent {
source=> "useragent"
prefix=> "browser"
}
mutate {
remove_field => [ "log_timestamp"]
}
if [type] == "iisbeat" and [response] not in ["404", "444"] {
drop {}
}
if [type] == "wineventlog"
{
if [event_id] not in [4625,4666] {
drop {}
}
}
if [type] == "apachebeat"
{
grok {
match => { "message" => "%{COMMONAPACHELOG}" }
add_tag => [ "apachebeat", "grokked" ]
}
}
if [type] == "apachebeat" and [response] not in ["404", "403"] {
drop {}
}
}
else if [tags] not in ["grokked"]
{drop{}}
}
filter configuration for another machines
filter
{
if [host] == "datanode3"
{
if [type] == "log"
{
grok
{
match => [ "message", "%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: %{WORD:authentication}" ]
add_tag => [ "log", "grokked" ]
}
}
if [type] == "log" and [authentication] not in ["Failed","info"]
{
drop{}
}
if [type] == "iisbeat"
{
#ignore log comments
if [message] =~ "^#" {
drop {}
}
grok {
# check that fields match your IIS log settings
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:hostip} %{WORD:method} %{NOTSPACE:page} %{NOTSPACE:query} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientip} %{NOTSPACE:useragent} %{NOTSPACE:referrer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:timetaken}"]
}
}
#Set the Event Timesteamp from the log
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UTC"
}
useragent {
source=> "useragent"
prefix=> "browser"
}
mutate {
remove_field => [ "log_timestamp"]
}
if [type] == "iisbeat" and [response] not in ["404", "444"] {
drop {}
}
if [type] == "wineventlog"
{
if [event_id] not in [4625,4666] {
drop {}
}
}
if [type] == "apachebeat"
{
grok {
match => { "message" => "%{COMMONAPACHELOG}" }
add_tag => [ "apachebeat", "grokked" ]
}
}
if [type] == "apachebeat" and [response] not in ["404", "403"] {
drop {}
}
}
else if [tags] not in ["grokked"]
{drop{}}
}