Separate device in logstash based on the destination port

abd_sh · June 27, 2022, 10:44am

Hello,

i hope you are doing well.
i am trying to separate device in logstash based on the destination port.
i am using the below config file
"input {
udp { port => 5014}
udp { port => 5015 }
}

filter {
if port == 5014 {
grok {
patterns_dir => "/usr/share/logstash/grok_patterns"
match => {
"message" => "%{TEST:test}\d+: \d*.\d*.\d*.\d*: %{SEQUENCE_NUMBER:syslog_sequence_number}:\s+%{SYSLOGTIMESTAMP:syslog_timestamp}:\s+%{GREEDYDATA:syslog_message}"
}
add_tag => [ "itnc_rs" ]
remove_field => "test"
remove_field => "@version"
remove_field => "event.original"
remove_field => "port"
#remove_field => "@timestamp"
}

}
if port == 5015 {
grok {
patterns_dir => "/usr/share/logstash/grok_patterns"
match => {
"message" => "%{TEST:test}\d+: \d*.\d*.\d*.\d*: %{SEQUENCE_NUMBER:syslog_sequence_number}:\s+%{SYSLOGTIMESTAMP:syslog_timestamp}:\s+%{GREEDYDATA:syslog_message}"
}
add_tag => [ "itnc_wlc" ]
remove_field => "test"
remove_field => "@version"
remove_field => "event.original"
remove_field => "port"
#remove_field => "@timestamp"
}
}

output {
if port == 5014 {
elasticsearch {
hosts => ["localhost:9200"]
user => "bot_it_itnc_rw"
password => "xxxxxxx!"
index => "it-itnc-rs-%{+YYYY.MM}"
}
}

if port == 5015 {
elasticsearch {
hosts => ["localhost:9200"]
user => "bot_it_itnc_rw"
password => "xxxxx"
index => "it-itnc-wlc-%{+YYYY.MM}"
}
}
}
"

it is not working at all. i will be really thankful if you can take a look

system · July 25, 2022, 10:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.