Output NetFlow and Syslog to Elasticsearch

Elastic Stack Logstash
1

Hello, I have an ELK server currently taking NetFlow traffic
from a single host and sending this to a custom index name (logstash_netflow-*)
etc and I’m now wanting to take syslogs on UDP port 5000. Currently NetFlow is
coming in on UDP port 9995 which works well.

What I’m wanting to do is be able to set an IF statement in
the output config so it will only take them from NetFlow and syslog only.

Is it possible to set the IF statement on maybe the netflow [codec]
directive and the syslog [type]? This is how I’m wanting to differentiate
inbound traffic.

Thanks

2

I’ll add some more details, this server is taking syslogs
and NetFlow on alternate ports just fine. What I’m wanting to do is differentiate
between NetFlow and syslog in the output config by using a different IF
statement rather than (if ( [host] =~ /192.168.1.254/ ) {) in the below
.conf file, because I’d rather not have to specify the host each time I want to
add a new NetFlow device:

output {

stdout {
codec => rubydebug }

    if ( [host] =~ /192\.168\.1\.254/ ) {

      elasticsearch {

        index =>
"logstash_netflow5-%{+YYYY.MM.dd}"

        host => "localhost"

      }

    } else {

      elasticsearch {

        index =>
"logstash-%{+YYYY.MM.dd}"

        host => "localhost"

      }

    }

  }
3

Is it possible to set the IF statement on maybe the netflow [codec] directive and the syslog [type]? This is how I’m wanting to differentiate inbound traffic.

Sure. You can place conditions on any field or combination of fields.

if [type] == "netflow" {
  ...
}
4

Thanks, this worked and I just needed to add in the “type
=> netflow” directive into my input .conf too.

Thanks again.