Multiple Grok filters with Logstash 6 for a single logfile?

burnersk · December 5, 2017, 10:00am

@magnusbaeck: If I understand you correctly, I could achieve my goal by doing partial Grok matches, correct?

grok {
  match => { "message" => "%{SYSLOGBASE}%{SPACE}%{GREEDYDATA:log_message}" }
}
if "_grokparsefailure" not in [tags] {
  #
  # Add program label tag
  if [program] {
    mutate { add_tag => [ "%{program}" ] }
  }
  #
  # SSH server
  if [program] == "sshd" {
    #
    # SSH server starts listening for incoming connections
    if [log_message] =~ "Server·listening·on" {
      grok {
        match => { log_message => "Server listening on %{IPORHOST:address} port %{POSINT:port}." }
        add_tag => [ "%{program}_server", "%{program}_server_start" ]
      }
    }
    #
    # SSH server receives a POSIX signal
    if [log_message] =~ "Received signal" {
      grok {
        match => { log_message => "Received signal %{NONNEGINT:posix_signal}; %{GREEDYDATA:action}." }
        add_tag => [ "%{program}_server" ]
      }
      if [action] == "terminating" {
        mutate { add_tag => [ "%{program}_server_stop" ] }
      }
    }
  }
}

Topic		Replies	Views
Grok with conditional patterns and adding a tag Logstash	3	23713	July 6, 2017
How to add multiple grok pattern in one filter? Logstash	6	4040	May 17, 2018
Multiple match option in grok Logstash	8	15819	May 24, 2017
_grokparsefailure Tag in all parsed logs with multiple grok filter Logstash	6	1582	September 30, 2020
Matching multiple Grok patterns in a single Logstash config file Logstash	2	3542	May 30, 2017

Multiple Grok filters with Logstash 6 for a single logfile?

Related topics