Hello.
I'm having a problem understanding how exactly I am supposed to write the conditions in logstash with regards to fields I added to filebeat.
Here is my filebeat inputs
filebeat.inputs:
- type: log
enabled: true
paths:
- C:\inetpub\logs\LogFiles\*\*.log
fields:
iis: true
- type: log
enabled: true
paths:
- C:\inetpub\logs\test\*.log
fields:
test: true
So what I am trying to do is to put each log in the correct index depending on the existing field iis or test.
My first pipeline currently looks like this:
#INPUT#
input {
beats {
port => 5044
ssl => false
}
}
#OUTPUT#
output {
if [source] == "/var/log/messages" {
pipeline { send_to => syslog }
}
elseif [source] == "/var/log/firewalld" {
pipeline { send_to => firewalld }
}
elseif [type] == "wineventlog" {
pipeline {send_to => winlog }
}
elseif [iis] {
pipeline { send_to => iis }
}
elseif [test] {
pipeline { send_to => test }
}
}
The problem can only come from this pipeline I tried with no condition and everything goes into an index with the fields.test or fields.iis field as expected.
I tried to write [type] and [iis] as [fields][type] and [field][iis] but it doesn't work either.