Send logs to different index if grok parse fails

Hey there,
at the moment i have the following problem:

Many different devices are sending logs to port 514 and we dont want to reconifure all of these devices

I want to make a logstash configuration which extract informations out of some devices and send the other logs to a different index like rawdata-*

How do i have to configure the output for something like this?

This should be very close to what you want: http://stackoverflow.com/a/27147688/414355

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.