Hi Team,
Can anyone help me in confugiring multiple indexes from multiple input with logstash,
I am unable to create multiple index in elastic (with multiple if conditions) . One index is getting created but not both,
and it works well if I do just one condition with : if , else .
But if I want to create more than two indexes with multipe input ?,
My logstash.conf file
input {
udp {
host => "127.0.0.1"
port => 10514
codec => "json"
type => "rsyslog"
}
file {
type => "fortigate"
path => "/home/user/Téléchargements/fortiWebFilter.log"
sincedb_path => "/dev/null"
start_position => "beginning"
}
}
filter {
if [type] == "fortigate" {
grok {
match => ["message", "%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:message}"]
#overwrite => [ "message" ]
tag_on_failure => [ "failure_grok_fortigate" ]
}
kv {
value_split => "="
}
mutate {
#I want to use the timestamp inside the logs instead of Logstash's timestamp so we'll first create a new field containing the date and time fields from the syslog before we convert that to the @timestamp field
add_field => { "temp_time" => "%{date} %{time}" }
#add_field => { "Desti_Country" => "%{dstip}" }
#The syslog contains a type field which messes with the Logstash type field so we have to rename it.
rename => { "type" => "ftg_type" }
#rename => { "ip" => "Desti_IP" }
rename => { "subtype" => "ftg_subtype" }
#add_field => { "type" => "forti_log" }
convert => { "rcvdbyte" => "integer" }
convert => { "sentbyte" => "integer" }
}
date {
match => [ "temp_time", "yyyy-MM-dd HH:mm:ss" ]
timezone => "UTC"
target => "@timestamp"
}
geoip {
source => "dstip"
add_field => [ "[geoip][desti_ip]", "%{[geoip][ip]}" ]
}
mutate {
#add/remove fields as you see fit.
remove_field => ["syslog_index","sessionid","dstcountry","dstip","transip","country_code3","region_code","country_code2","syslog5424_pri","transport","appcat","srccountry","dstintf","devid","@version","itime","path","logver","logid","vd","host","srcintf","trandisp","location","date","time","service","temp_time","tags","sentpkt","rcvdpkt","log_id","message","poluuid"]
remove_field => "[geoip][longitude]"
remove_field => "[geoip][region_code]"
remove_field => "[geoip][country_code3]"
remove_field => "[geoip][continent_code]"
remove_field => "[geoip][country_code2]"
remove_field => "[geoip][latitude]"
remove_field => "[geoip][location]"
remove_field => "[geoip][region_name]"
remove_field => "[geoip][ip]"
}
}
}
output {
#stdout { codec => rubydebug }
if [type] == "rsyslog" {
elasticsearch {
hosts => "localhost:9200"
index => "rsyslog-index"
}
}
if [type] == "fortigate"{
elasticsearch {
hosts => "localhost:9200"
#http_compression => "true"
index => "forti-index"
}
}
}