I'm using the Logstash "pattern" to select out a specific pattern inside the "message" field.
Following is the message
Blockquote
January 12th 2018, 15:47:52.228 Jan 12 15:47:51 198.18.109.70 interface,info ether7 link down
January 12th 2018, 15:47:52.228 Jan 12 15:47:51 203.143.61.15 route,bgp,info RemoteAddress=198.18.43.154
January 12th 2018, 15:47:52.228 Jan 12 15:47:51 203.143.61.15 route,bgp,info Failed to open TCP connection: No route to host
January 12th 2018, 15:47:51.226 Jan 12 15:47:50 198.18.13.44 dhcp,info MAIN assigned 172.16.219.87 to 24:A0:74:5F:C6:FE
January 12th 2018, 15:47:51.226 Jan 12 15:47:50 198.18.109.70 interface,info ether7 link up (speed 10M, full duplex)
From the above content I want to have a filed which will filter out "route,bgp" messages.
I tried the following pattern but it's not working ..
Blockquote
cat pattern
BGP_TEST .bgp.
Blockquote
input {
file {
path => "/var/log/syslog"
type => "syslog"
}
}
filter {
if [type] == "syslog" {
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => { "message" => "%{IP:client}" }
match => { "message" => "%{BGP_TEST:bgp}" }
}
}
}
output {
elasticsearch {
hosts => "203.143.21.227"
}
}
