Separate ELK pattern for log files

sanjeev1895 · August 1, 2023, 2:56pm

Hi team,
Can any one help me to find the solution for my below requirement.

I have two apache server and I want to send the apache access and error logs to elk server via filebeat apache module to logstash. I configured apache.yml and apache.conf file in logstash.
example:
in logstash,
apache1.conf - srever1
apache2.conf - server2. with different index name.
These configuration was working fine, but the issue is it sending the logs to both index name.
see my apache.conf file below,( apache2.conf file also same , only the difference is file path and index name)

input {
  beats {
     port => 5044
 }
}

filter {
    if [log][file][path] in ["/var/log/apache2/sfsite-access_log","/var/log/apache2/sfapi-access_log"] {
      grok {
        match => { "message" => "\[%{HTTPDATE:time_stamp}\] %{HOSTNAME:domain_name} \"%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} (?:%{NUMBER:response_bytes}|-)  %{QS:agent} %{NOTSPACE:page_url} %{QS:agent_type}" }

 }
      grok {
        match => { "message" => "%{IP:client_ip}" }
 }
      geoip {
        source => "[client_ip]"
        ecs_compatibility => disabled
      }
}

else if [log][file][path] in ["/var/log/apache2/sfsite-error_log","/var/log/apache2/sfapi-error_log"] {
      grok {
        match => { "message" => "\[%{HTTPDERROR_DATE:timestamp-error}\] \[%{DATA:loglevel}%{SPACE}\] \[%{DATA:process-id}%{SPACE}\]%{SPACE}\[%{DATA:client-ip}\] %{GREEDYDATA:message} (\[%{NOTSPACE:Index}\]\[%{NUMBER:shards}\])?%{GREEDYDATA} %{GREEDYDATA:referred_url}" }
   }
 }
}


output {
  elasticsearch {
    hosts => ["https://a.a.a.a:9200"]
    index => "index-testing-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "pppppp"
    ssl => true
    cacert => "/etc/logstash/http_ca.crt"
  }
}

can any one help me out this.

leandrojmp · August 1, 2023, 2:59pm

You need to have conditionals in the output as well, the same ones that you are using in the filter section.

sanjeev1895 · August 1, 2023, 5:45pm

Hi @Leandrojmp

Can you give any examples for configure the conditional statements in output sections as well. It will more helpful.

Also is there any documentation..!

leandrojmp · August 1, 2023, 5:52pm

It is exactly the same ones you are using in your filter.

It would be something like this:

output {
  if [log][file][path] in ["/var/log/apache2/sfsite-access_log","/var/log/apache2/sfapi-access_log"] {
    elasticsearch { your output for this indice}
  } else if [log][file][path] in ["/var/log/apache2/sfsite-error_log","/var/log/apache2/sfapi-error_log"] {
    elasticsearch { your output for this indice}
  }
}

The documentation about conditionals is this one.

sanjeev1895 · August 1, 2023, 6:14pm

@leandrojmp

Thank you so much for your guidance.

system · August 29, 2023, 6:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with sending apache logs to elasticsearch with different indices Beats filebeat	1	394	July 5, 2023
How to create the Multiple Index for each Apache Webserver Beats filebeat	2	131	June 13, 2023
Logstash Conf File for Apache Log won't interpret "message" Logstash	15	1796	October 21, 2017
Filebeat to send logs to Logstash and ES Elasticsearch	7	1491	October 22, 2019
Logstash configuration : 6.3 Logstash	11	511	September 20, 2018

Separate ELK pattern for log files

Related Topics