Validate logstash conf file merge

Greetings folks,

I am trying to wrap my head around how logstash merges files, and would like clarification on my setup if possible.

in my /etc/logstash/conf.d dir i have the 4 files.

-rw-r--r--  1 root root 186 Nov 20 15:52 001-inputs.conf
-rw-r--r--  1 root root  84 Nov 20 15:53 002-input-syslog.conf
-rw-r--r--  1 root root 206 Nov 21 13:05 500-filter-syslog.conf
-rw-r--r--  1 root root 971 Nov 21 13:04 999-outputs.conf

below is how logstash should read them.

[.@.conf.d]# cat *.conf
input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => '/etc/pki/tls/certs/logstash-forwarder.crt'
    ssl_key => '/etc/pki/tls/private/logstash-forwarder.key'
  }
}

input {
  udp {
   host => '10.0.101.15'
   port => 10514
   type => 'syslog'
  }
}
filter {
  if "syslog" in [tags] {
        grok {
        match => { "message" => "%{SYSLOGBASE} %{CISCOFW710001_710002_710003_710005_710006}" }
        match => { "message" => "%{SYSLOGBASE} %{CISCOFW106023}" }
        }
  }
}
output {
 if "winlogbeat" in [tags] {
    amazon_es {
    #hosts => ["http://localhost:9200"]
    hosts => ["search-zzzzzzz-zzzzzz-zzzzzzzzzzzzzzzzzzzzzz.ap-southeast-2.es.amazonaws.com"]
    region => "ap-southeast-2"
    aws_access_key_id => 'zzzzzzzzzzzzzzzzzzzzzz'
    aws_secret_access_key => 'zzzzzzzzzzzzzzzzzzzzzzzzzz'
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
 }
 if "syslog" in [tags] {
    amazon_es {
    hosts => ["search-zzzzz-zzzzz-zzzzzzzzzzzzzzzzzz.ap-southeast-2.es.amazonaws.com"]
    region => "ap-southeast-2"
    aws_access_key_id => 'zzzzzzzzzzzzzzzzz'
    aws_secret_access_key => 'zzzzzzzzzzzzzzzzzzzz'
    index => "syslog-%{+YYYY.MM.dd}"
    document_type => "syslog"
    }
  }
}

Question

Am i on the right track with conditionals and how the 4 files fit together?

below is how logstash should read them.

Yes.

Am i on the right track with conditionals and how the 4 files fit together?

Yes.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.