Single syslog input to multiple indices output

bastianhoss · August 7, 2016, 10:00pm

Hi Community,

searching a way for multiple indice output. In this case with a lot of different programs. Cisco ASA...

My inputs is syslog, forwarding rsyslog massages in type "syslog"

input {
syslog {
type => syslog
port => 10514
}
}

filter options are possible when using program:

 else if [program] == "%ASA*" {
     grok{
        match => [
           "message" , "%{GREEDYDATA:data} "
        ]
     }
  }

and output dosen't work with:

...
else if [program] == "%ASA*" {
elasticsearch {
hosts => [ "ip:9200" ]
index => "firewall-"
}
}

Any ideas ?

magnusbaeck · August 10, 2016, 5:57am

Conditionals work fine within an output block so it's not clear what the problem is. I found two weird things though:

else if [program] == "%ASA*" {

Is the program field literally "%ASA*"? Or are you trying to use * as a wildcard character?

index => "firewall-"

Do you really want to store the events in an index named, literally, "firewall-"?

bastianhoss · August 17, 2016, 7:27am

Hi,

else if "ASA" in [program] {
elasticsearch {
index => "firewall-"
}
}

brings the correct seperation....