Tags in logstash

beren · October 16, 2019, 8:37am

Hi
How to direct postfix logs to index postfix ?

In logstash config

input {
  beats {
    port => 5044
  }
}

filter {
     grok { 
}
}     
output {
if "postfix" in [tags]{
        elasticsearch {
            hosts    => "localhost:9200"
            index    => "postfix-%{+YYYY.MM.dd}"
        }
}
}

In filebeat

filebeat.inputs:
- type: log
  enabled: true
  paths:
      - /var/log/maillog*
  exclude_files: [".gz$"]
tags: ["postfix"]
output.logstash:
  hosts: ["10.50.11.8:5044"]

In the log logstash a lot

[2019-10-15T15:48:42,437][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"newrelicdata", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x4ceb504a>], :response=>{"index"=>{"_index"=>"newrelicdata", "_type"=>"_doc", "_id"=>"V7x2z20Bp3jq-MOqpNbt", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [host] of type [text] in document with id 'V7x2z20Bp3jq-MOqpNbt'. Preview of field's value: '{name=mail.domain.com}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:521"}}}}}

Why date from mail.domain.com try to get not in index postfix ? And the data is trying to get into all the indexes ? Any help

system · November 13, 2019, 8:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
From logstash-forwarder to filebeat, how can use tags? Beats filebeat	2	1552	July 5, 2016
Filter messages based on tags Logstash	2	4805	January 31, 2019
Tags index with logstash and filebeat Logstash	4	1823	July 6, 2017
Postfix logs not forwarding to ELK Beats filebeat	7	3621	May 25, 2017
Logstash filter issue with tags Logstash	1	537	January 11, 2017

Tags in logstash

Related topics