Using two input plugins ( beats and udp ) and output it to Elasticsearch

amarjeetxc · July 6, 2017, 6:27pm

Thanks Paris. I am glad you replied asap. I really appreciate your help. Thanks a lot !! You made my Day !!

Thanks you very much !!

The Beats shipper automatically sets the type field on the event. You cannot override this setting in the Logstash config. If you specify a setting for the type config option in Logstash, it is ignored.

It helped me a lot to resolve the above issue. I haven't changed the filter configurations.

I have used the following configurations and it resolved the above issue.

input {
	udp {
		port => 514
		type => "hyworks"
	}
	beats {
		port => 5044
	}
}

filter {
	if [type] == "hyworks"   {
		grok {
			match => {"message" => "<%{INT:loglvl}>HyworksController: %{LOGLEVEL:loglevel} %{USERNAME:user} %{WORD:ORGNAME} (?<ORG_ID>(?:[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12})) %{WORD:logger}(?:\s+\[%{GREEDYDATA:temp}\]([\.:])?)? %{GREEDYDATA:msg}" }
		}
      
		if "_grokparsefailure" not in [tags] {
  
			if [temp] {
				mutate {
					replace => {"message" => "<%{loglvl}>HyworksController: [%{temp}]: %{msg}"}
					remove_field => [ "msg" ]
					gsub => ["temp"," ","_"]
				}
			}
			else {
				mutate {
					replace => {"message" => "<%{loglvl}>HyworksController: %{msg}"}
					remove_field => [ "msg" ]
				}
			}

			if [temp] {
				mutate {
					add_tag => ["%{temp}"]
				}
			}

			if [temp] {
				mutate {
					remove_field => [ "temp" ]
				}
			}

									

			if " logged in" in [message] {
				mutate {
					add_tag => ["logged_in","%{user}_logged_in"]
				}
			}

			if " successfully logged out" in [message] {
				mutate {
					add_tag => ["logged_out","%{user}_logged_out"]
				}
			}

			if " 'hyworksadmin' successfully logged into " in [message] {
				mutate {
					add_tag => ["admin_logged_in","hyworks"]
				}
			}
    
			if " and has been Disconnected." in [message] {
				mutate {
					add_tag => ["idle_disconnected","%{user}_idle_disconnected"]
				}
			}

			if " and has been Logout." in [message] {
				mutate {
					add_tag => ["idle_logout","%{user}_idle_logout"]
				}
			}

			mutate {
				add_tag => ["_user_%{user}"]
			}
		}  
		else {
			mutate {
				add_field => {"loglevel" => "ERROR"}
				add_tag => ["error_log","error_traceback"]
			}
		}
	}
}


output {
	
	if [type] == "hyworks" { 
		elasticsearch {
			hosts => ["localhost:9200"]
			sniffing => true
			manage_template => false
			index => "hyworks-%{+YYYY.MM.dd}"
		}
    }
	else{ 
		elasticsearch {
			hosts => "localhost:9200"
			manage_template => false
			index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
			document_type => "%{[@metadata][type]}" 
		}
	}
	
}

Now, the above issue is resolved for UDP and beats, but if I have beats of Filebeat and Metricbeat then how to filter the output based on the type.
Any suggestions ?

Topic		Replies	Views
Multiple output in logstash config, pls help! Logstash	7	4098	December 20, 2016
Logstash not sending data to ElasticSearch - multiple outputs based on tags Logstash	1	827	February 15, 2018
Single input with different filter and output Logstash	5	1593	June 4, 2018
Issue with Index filtering within Logstash Logstash	4	845	June 22, 2017
Filebeat -> Logstash -> ElasticSearch with multiple outputs Elasticsearch	7	650	April 19, 2021

Using two input plugins ( beats and udp ) and output it to Elasticsearch

Related topics