Not able to write in file with particular tag

Elastic Stack Logstash
1

I'm trying to write all logs with tag Prod to file but it's not working. When I remove tag condition it works but not with tags.

Any inputs?

Here is my pipeline:

   input {
  tcp {
    port => 10514
    type => syslog
  }

  udp {
    port => 10514
    type => syslog
  }

}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(?:%{NOTSPACE:syslog5424_app}|-) +(?:%{NOTSS
PACE:syslog5424_proc}|-) +(?:%{WORD:syslog5424_msgid}|-) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|) +%{GREEDYDATA:syslog5424_msg}" }
    }

    syslog_pri { }

    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }

    if !("_grokparsefailure" in [tags]) {
      mutate {
        replace => [ "@source_host", "%{syslog_hostname}" ]
        replace => [ "@message", "%{syslog_message}" ]
      }
    }

    mutate {
      remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
    }

    if [message] =~ /.prod./ {
        mutate {
                add_tag => ["Prod"]
        }
     }
  }

}

output {
  if [type] == "syslog" {
    elasticsearch {
      hosts => ["10.31.45.85:9450", "10.31.45.86:9450", "10.31.45.87:9450"]
      index => "logstash-%{+yyyy.MM.dd}"
    }

    if "Prod" in [tags] {

      file {
        path => "/home/myuser/logstash-logs/test-%{+YYYY-MM-dd}.log"
        codec => rubydebug
      }
    } else {
      file {
        path => "/home/myuser/logstash-logs/test2-%{+YYYY-MM-dd}.log"
        codec => rubydebug
      }
    }
  }
}
2

Are you saying that when you use the 'if "Prod" in [tags] {' conditional the events do not get written to either file?

3

it gets written in else part but not in if part

4

Then the [tags] array does not contain an entry "Prod". What does the event look like in kibana? Copy and paste from the JSON tab after expanding an event.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.