When I add a Tag in the input and I chek it isnt added
Thank you
Please show
- your configuration
- an example event processed by Logstash
this is my config :
input {
file {
path => "/var/ossec/logs/alerts/alerts.json"
codec => "json"
}
beats {
port => 5044
}
udp {
codec => "json"
port => 5140
tags => ["nxlog"]
}
}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
geoip {
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
}
}
output {
if [fields][log_type] == "apache" {
elasticsearch {
hosts => ["localhost:9200"]
index => "apache-%{+YYYY.MM.dd}"
}
}
else if [fields][log_type] == "messages" {
elasticsearch {
hosts => ["localhost:9200"]
index => "message-%{+YYYY.MM.dd}"
}
}
else if "nxlog" in [tags] {
elasticsearch {
hosts => ["localhost:9200"]
index => "nxlog-%{+YYYY.MM.dd}"
}
}
else {
elasticsearch {
hosts => ["localhost:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
document_type => "wazuh"
}
}
}
When i check the logs generated by nxlog I dont find the tag : nxlog
you are removing tags over here.
Even this might not worked for you as u r removing tags before this condition.
Thank you a looooot,
I didn't pay attention to it, it's working perfectly now
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.