Two file output in Logstash

Vrops · November 16, 2022, 10:27am

Hello,

I have explored several forums but can't find any answers to my question.
I'm trying to get 2 Filebeat inputs and redirect them via Logstash with 2 different file outputs.

Here are my configuration files:

filebeat.yml:

# ============================== Filebeat inputs ===============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

  # Unique ID among all inputs, an ID is required.
  id: ID1
  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  tags: ["tag1"]
  paths:
    - /var/log/site1/access.log
    #- c:\programdata\elasticsearch\logs\*
- type: filestream

  id: ID2
  enabled: true 
  tags: ["tag2"]
  paths:
    - /var/log/site2/access.log

Logstash.config:

input {
     beats {
        port => 5044
  }
}

filter {
    grok {
        match => { "message" => "%{COMBINEDAPACHELOG}" }
    }

    date {
        match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
    }

    mutate {
        convert => {
            "response" => "integer"
            "bytes" => "integer"
  }
 }
}

output {
    if "tag1" in [tags]{
        stdout { codec => rubydebug }

        file {
        path => "/var/central-log/Output1.log"
      }

    }
    else if "tag2" in [tags]{ 
        stdout { codec => rubydebug }

        file {
          path => "/var/central-log/Output2.log"
        }
    }
}

Is this the right method? Can you help me?

Thank you,

Rios · November 17, 2022, 11:50am

Yes,this is it. Do you have any problems?

Vrops · November 17, 2022, 12:58pm

Yes, I have don't have error messages but nothing happens in logstash server.

Badger · November 17, 2022, 4:51pm

I suggest you add an unconditional else with a third file output and see if the events really have the [tags] that you expect.

Rios · November 17, 2022, 10:07pm

Just to add to Badger, you can add rubydebug on the top of output for better diagnostic.

output {
  stdout { codec => rubydebug }

if "tag1" in [tags]{
...
}

system · December 15, 2022, 10:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to setup multiple input and output in Filebeat config? Beats	12	13815	February 7, 2019
Give logstash two different log files with filebeat but i only get one in Elasticsearch Logstash	7	1141	June 10, 2019
Multiple Filebeat inputs with logstash output Beats	4	20135	September 25, 2018
Multiple outputs in the filebeats.yml to the logstash Beats filebeat	3	7691	December 18, 2019
Filebeat inputs configured to output to multiple logstash pipelines Beats filebeat	4	905	March 25, 2019

Two file output in Logstash

Related topics