Hello,
i hope you are doing well.
i am trying to separate device in logstash based on the destination port.
i am using the below config file
"input {
udp { port => 5014}
udp { port => 5015 }
}
filter {
if port == 5014 {
grok {
patterns_dir => "/usr/share/logstash/grok_patterns"
match => {
"message" => "%{TEST:test}\d+: \d*.\d*.\d*.\d*: %{SEQUENCE_NUMBER:syslog_sequence_number}:\s+%{SYSLOGTIMESTAMP:syslog_timestamp}:\s+%{GREEDYDATA:syslog_message}"
}
add_tag => [ "itnc_rs" ]
remove_field => "test"
remove_field => "@version"
remove_field => "event.original"
remove_field => "port"
#remove_field => "@timestamp"
}
}
}
if port == 5015 {
grok {
patterns_dir => "/usr/share/logstash/grok_patterns"
match => {
"message" => "%{TEST:test}\d+: \d*.\d*.\d*.\d*: %{SEQUENCE_NUMBER:syslog_sequence_number}:\s+%{SYSLOGTIMESTAMP:syslog_timestamp}:\s+%{GREEDYDATA:syslog_message}"
}
add_tag => [ "itnc_wlc" ]
remove_field => "test"
remove_field => "@version"
remove_field => "event.original"
remove_field => "port"
#remove_field => "@timestamp"
}
}
output {
if port == 5014 {
elasticsearch {
hosts => ["localhost:9200"]
user => "bot_it_itnc_rw"
password => "xxxxxxx!"
index => "it-itnc-rs-%{+YYYY.MM}"
}
}
if port == 5015 {
elasticsearch {
hosts => ["localhost:9200"]
user => "bot_it_itnc_rw"
password => "xxxxx"
index => "it-itnc-wlc-%{+YYYY.MM}"
}
}
}
"
it is not working at all. i will be really thankful if you can take a look