Separate configs, different indexes yet both logs go to both indexes

X_Calibur · October 2, 2017, 8:09am

I have the following 2 config files:

############IMAP Email reader############

input {
imap {
host => "imap.gmail.com"
user => "account@gmail.com"
password => "pass"
secure => true
port => 993
check_interval => 30

}
}

output{
elasticsearch {
hosts => ["localhost:9200"]
index => "mailbox-%{+YYYY.MM.dd}"
user => user
password => pass
}
}

#########SYSLOG to firewall##########

input{

    syslog {
            type => "syslog"
            port => 55555
    }

}

output{
elasticsearch {
hosts => ["localhost:9200"]
index => "fortigate-%{+YYYY.MM.dd}"
user => user
password => pass
}
}

For some reason I'm seeing both logs on both indexes. Meaning the indexes are duplicates of each other. I have no idea how and why that happens...

Christian_Dahlqvist · October 2, 2017, 8:18am

Have a look at this thread. Logstash basically concatenates all files in the config directory, which means that all inputs will go to all outputs unless you use conditionals.

system · October 30, 2017, 8:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.