Hello to everyone!
First of all, I'm an infant in using logstash and just briefly read some parts of logstash docs.
So do not blame me for stupid questions, please! =)
Now, let's look into my question.
Preface:
My future scenario to use logstah is to transfrom udp\tcp\syslog messages into files and then read these files using another product.
In my company, we have various network and hardware devices that send syslog data.
We considered separating devices into categories and using different ports to send syslog data.
For example, we have network switches using port 1101 and routers using port 1102.
What I want to achieve:
I want to generate a file per one particular syslog\udp\tcp port. It helps me to categorize data afterward.
For example, data comes via port '1101' stores in file 'swicthes.log', data comes via port '1102' stores into 'routers.log'.
What I have in my head now:
After I read docs and a couple of posts from this forum, it seems for me that I have two different approaches to resolving my task.
If I have others, pls, tell me; I will appreciate it ;).
- Conditional output
I have only one pipilene.conf with something that looks like this:
default-pipeline.conf
input {
syslog {
port => 1101
}
syslog {
port => 1102
}
}
output {
if [syslog][port][1101]
file {
path => "/path/switches.log"
}
if [syslog][port][1102]
file {
path => "/path/routers.log"
}
}
- One pipeline for each port
Instead of using conditions, I use one pipiline for earch port:
pipiline.conf
- pipeline.id: swithes
path.config: ".../switches.conf"
- pipeline.id: routers
path.config: ".../routers.conf"
switches.conf (for example)
input {
syslog {
port => 1101
}
}
output {
file {
path => "/path/switches.log"
}
}