Hi Team,
I have multiple applications running and each has their application logs captured by filebeat
and it sends to logstash
.
Below is the logstash
configuration /etc/logstash/conf.d/logstash.conf
file. ( showing only for 3 applications )
input {
beats {
port => 5044
}
}
filter {
if [log_type] == "portal-api_app_server" and [app_id] == "node"
{
grok { match => { "message" => "%{SYSLOGBASE} %{GREEDYDATA:json_message}" } } json { source => "json_message" }
mutate {
replace => {
"[type]" => "portal-api_app_server"
}
}
}
if [log_type] == "federate_ping_server" and [app_id] == "pf"
{
mutate { gsub => ["message","\|"," "] } grok { patterns_dir => ["/etc/logstash/patterns"] match => { "message" => "%{MY_DATE_PATTERN:timestamp}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{UUID:ConsentID}%{SPACE}%{WORD:TransactionID}%{SPACE}%{WORD:TraceID}%{SPACE}%{GREEDYDATA:messagetext}" } }
mutate {
replace => {
"[type]" => "federate_ping_server"
}
}
}
if [log_type] == "directory_ping_server" and [app_id] == "pd"
{
mutate { gsub => ["message","\|"," "] } grok { patterns_dir => ["/etc/logstash/patterns"] match => { "message" => "%{MY_DATE_PATTERN:timestamp}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{UUID:ConsentID}%{SPACE}%{WORD:TransactionID}%{SPACE}%{WORD:TraceID}%{SPACE}%{GREEDYDATA:messagetext}" } }
mutate {
replace => {
"[type]" => "directory_ping_server"
}
}
}
}
output {
if [log_type] == "portal-api_app_server" {
elasticsearch {
hosts => ['http://10.10.10.242:9200']
user => elastic
password => "${es_pwd}"
index => "portal-api"
template_name => "portal-api"
template_overwrite => "false"
}
}
if [log_type] == "federate_ping_server" {
elasticsearch {
hosts => ['http://10.10.10.242:9200']
user => elastic
password => "${es_pwd}"
index => "federate"
template_name => "federate"
template_overwrite => "false"
}
}
if [log_type] == "directory_ping_server" {
elasticsearch {
hosts => ['http://10.10.10.242:9200']
user => elastic
password => "${es_pwd}"
index => "directory"
template_name => "directory"
template_overwrite => "false"
}
}
elasticsearch {
hosts => ['http://10.10.10.242:9200']
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM}"
user => elastic
password => "${es_pwd}"
}
}
Below is the index_template
for above three,
{
"name" : "portal-api_template",
"index_template" : {
"index_patterns" : [
"portal-api*"
],
"template" : {
"settings" : {
"index" : {
"lifecycle" : {
"name" : "testpolicy",
"rollover_alias" : "portal-api"
},
"number_of_shards" : "1",
"number_of_replicas" : "0"
}
},
"mappings" : {
"_routing" : {
"required" : false
},
"dynamic_date_formats" : [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"numeric_detection" : true,
"_source" : {
"excludes" : [ ],
"includes" : [ ],
"enabled" : true
},
"dynamic" : true,
"dynamic_templates" : [ ],
"date_detection" : true
},
"aliases" : {
"aliases" : { }
}
},
"composed_of" : [ ],
"priority" : 600,
"version" : 2
}
},
{
"name" : "federate_template",
"index_template" : {
"index_patterns" : [
"federate*"
],
"template" : {
"settings" : {
"index" : {
"lifecycle" : {
"name" : "testpolicy",
"rollover_alias" : "federate"
},
"number_of_shards" : "1",
"number_of_replicas" : "0"
}
},
"mappings" : {
"_routing" : {
"required" : false
},
"dynamic_date_formats" : [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"numeric_detection" : true,
"_source" : {
"excludes" : [ ],
"includes" : [ ],
"enabled" : true
},
"dynamic" : true,
"dynamic_templates" : [ ],
"date_detection" : true
},
"aliases" : {
"aliases" : { }
}
},
"composed_of" : [ ],
"priority" : 600,
"version" : 2
}
},
{
"name" : "directory_template",
"index_template" : {
"index_patterns" : [
"directory*"
],
"template" : {
"settings" : {
"index" : {
"lifecycle" : {
"name" : "testpolicy",
"rollover_alias" : "directory"
},
"number_of_shards" : "1",
"number_of_replicas" : "0"
}
},
"mappings" : {
"_routing" : {
"required" : false
},
"dynamic_date_formats" : [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"numeric_detection" : true,
"_source" : {
"excludes" : [ ],
"includes" : [ ],
"enabled" : true
},
"dynamic" : true,
"dynamic_templates" : [ ],
"date_detection" : true
},
"aliases" : {
"aliases" : { }
}
},
"composed_of" : [ ],
"priority" : 600,
"version" : 2
}
},
As you can see each application is having its own index_template
. I created these multiple index_template
as each index
name is different and therefore different index_patterns
, can i use single index_template
(as other settings are same for all) for all applications? Is there any possibility to mention multiple index_patterns
to match multiple indices?
Thanks,