Send all Syslog messages that don't match output to another index?

jeromeat · May 7, 2021, 12:34pm

Noob here, so don't judge too hard.

However, I am wanting to find out if it's possible to have an output as such that's looking for specific tags and sending those messages to the windows* index but if they don't match they go to a pipeline* index. Is that possible???

       }
    output {
            if "NxLog","Windows Event" in [tags] {
                elasticsearch {
                hosts => "${ELASTICSEARCH_HOST_AND_PORT:elasticsearch.:9200}"
                index => "windowsevent-%{+YYYY.MM.dd}"
                }}
            else  {
                elasticsearch {
                hosts => "${ELASTICSEARCH_HOST_AND_PORT:elasticsearch.:9200}"
                index => "pipeline-%{+YYYY.MM.dd}"
            }
    }

Badger · May 7, 2021, 5:00pm

This can be done using a conditional in the output section, but I think it would need to be

if "NxLog" in [tags] or "Windows Event" in [tags] { ...

jeromeat · May 9, 2021, 9:22pm

Great..thanks for confirming.

system · June 6, 2021, 9:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.