Two file output in Logstash

Vrops · November 16, 2022, 10:27am

Hello,

I have explored several forums but can't find any answers to my question.
I'm trying to get 2 Filebeat inputs and redirect them via Logstash with 2 different file outputs.

Here are my configuration files:

filebeat.yml:

# ============================== Filebeat inputs ===============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

  # Unique ID among all inputs, an ID is required.
  id: ID1
  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  tags: ["tag1"]
  paths:
    - /var/log/site1/access.log
    #- c:\programdata\elasticsearch\logs\*
- type: filestream

  id: ID2
  enabled: true 
  tags: ["tag2"]
  paths:
    - /var/log/site2/access.log

Logstash.config:

input {
     beats {
        port => 5044
  }
}

filter {
    grok {
        match => { "message" => "%{COMBINEDAPACHELOG}" }
    }

    date {
        match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
    }

    mutate {
        convert => {
            "response" => "integer"
            "bytes" => "integer"
  }
 }
}

output {
    if "tag1" in [tags]{
        stdout { codec => rubydebug }

        file {
        path => "/var/central-log/Output1.log"
      }

    }
    else if "tag2" in [tags]{ 
        stdout { codec => rubydebug }

        file {
          path => "/var/central-log/Output2.log"
        }
    }
}

Is this the right method? Can you help me?

Thank you,

Rios · November 17, 2022, 11:50am

Yes,this is it. Do you have any problems?

Vrops · November 17, 2022, 12:58pm

Yes, I have don't have error messages but nothing happens in logstash server.

Badger · November 17, 2022, 4:51pm

I suggest you add an unconditional else with a third file output and see if the events really have the [tags] that you expect.

Rios · November 17, 2022, 10:07pm

Just to add to Badger, you can add rubydebug on the top of output for better diagnostic.

output {
  stdout { codec => rubydebug }

if "tag1" in [tags]{
...
}

system · December 15, 2022, 10:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can I make two input and output in the logstash config file? Logstash	4	249	May 11, 2023
Logstash-multiple inputs one output problem Logstash	4	2155	August 1, 2018
Multiple output in logstash config, pls help! Logstash	7	4095	December 20, 2016
Configure many outputs for filebeat Beats filebeat	3	303	April 22, 2019
How to create multiple index from file beat log input in log-stash config Beats filebeat	9	2988	May 6, 2019

Two file output in Logstash

Related Topics