I have two mutate filters created one to get all the /var/log/messages to type > security and other mutate filter to get all the logs from one kind of hosts to type > host_type.
I am not able to see the /var/log/messages in the host_type index.
Here is the filters code I am using, please help me understand what's going on here. why am I not able to see /var/log/messages in my apihost index?
I have filebeat setup on the hosts to send logs to logstash.
@mancharagopan thanks for your reply. Yeah I am sending them to a different index like I mentioned in my post:
filter-security.conf
filter {
if [source] =~ //var/log/(secure|syslog|auth.log|messages|kern.log)$/ {
mutate {
replace => { "type" => "security" }
}
}
}
So what I am trying to achieve is I want to see them in both my indexes : 'security' as well as 'apihost'
As I am sending /var/log/* to 'secutiry' index, I am not able to see only those logs in 'apihost' index. But I can see all other logs I am sending from apihosts to 'apihost' index. Please advice. Thanks
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.