Send all Syslog messages that don't match output to another index?

jeromeat · May 7, 2021, 12:34pm

Noob here, so don't judge too hard.

However, I am wanting to find out if it's possible to have an output as such that's looking for specific tags and sending those messages to the windows* index but if they don't match they go to a pipeline* index. Is that possible???

       }
    output {
            if "NxLog","Windows Event" in [tags] {
                elasticsearch {
                hosts => "${ELASTICSEARCH_HOST_AND_PORT:elasticsearch.:9200}"
                index => "windowsevent-%{+YYYY.MM.dd}"
                }}
            else  {
                elasticsearch {
                hosts => "${ELASTICSEARCH_HOST_AND_PORT:elasticsearch.:9200}"
                index => "pipeline-%{+YYYY.MM.dd}"
            }
    }

Badger · May 7, 2021, 5:00pm

This can be done using a conditional in the output section, but I think it would need to be

if "NxLog" in [tags] or "Windows Event" in [tags] { ...

jeromeat · May 9, 2021, 9:22pm

Great..thanks for confirming.

system · June 6, 2021, 9:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple pipelines or tags or if or else if? Logstash	3	2883	April 24, 2019
Logstash syslog output: Weird message processing Logstash	3	428	December 12, 2019
[SOLVED] Elasticsearch output filter by tags... now failing when on new indices Logstash	2	7156	July 6, 2017
How to push same document into multiple indexes? Logstash	7	3289	September 19, 2018
Logstash Config Issues Logstash	2	502	July 6, 2017

Send all Syslog messages that don't match output to another index?

Related topics