I have two logstash configuration files under one folder. Following are the configurations for both files:
File 1:
input
{
tcp {
port => 50002
add_field => { log_type => 'panw' }
}
}
filter
{
#Filtering the data using mutate
}
output {
stdout { codec => rubydebug }
if [log_type] == 'panw'
kafka {
codec => line { format => "%{message}" }
bootstrap_servers => '127.0.0.1:6667'
topic_id => "traffic_logs"
}
}
File 2:
input
{
tcp {
port => 50001
add_field => { log_type => 'proxy' }
}
}
filter
{
#Filtering the data using mutate
}
output {
stdout { codec => rubydebug }
if [log_type] == 'proxy'
kafka {
codec => line { format => "%{message}" }
bootstrap_servers => '127.0.0.1:6667'
topic_id => "proxy_logs"
}
}
I can only see debug logs and kafka logs for the proxy conf. panw does not work. I don't see any errors or warnings either.
I used tcpdump to make sure both ports are getting the data.
Also, both ports are listening
[centos@ip- ~]$ sudo netstat -lntp | grep 50002
tcp6 0 0 :::50002 :::* LISTEN 13863/java
[centos@ip- ~]$ sudo netstat -lntp | grep 50001
tcp6 0 0 :::50001 :::* LISTEN 13863/java
where 13863 is the logstash process
When I remove the proxy file from the conf dir, panw works perfectly. It doesn't work when I add the proxy conf.