Greetings folks,
I am trying to wrap my head around how logstash merges files, and would like clarification on my setup if possible.
in my /etc/logstash/conf.d
dir i have the 4 files.
-rw-r--r-- 1 root root 186 Nov 20 15:52 001-inputs.conf
-rw-r--r-- 1 root root 84 Nov 20 15:53 002-input-syslog.conf
-rw-r--r-- 1 root root 206 Nov 21 13:05 500-filter-syslog.conf
-rw-r--r-- 1 root root 971 Nov 21 13:04 999-outputs.conf
below is how logstash should read them.
[.@.conf.d]# cat *.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => '/etc/pki/tls/certs/logstash-forwarder.crt'
ssl_key => '/etc/pki/tls/private/logstash-forwarder.key'
}
}
input {
udp {
host => '10.0.101.15'
port => 10514
type => 'syslog'
}
}
filter {
if "syslog" in [tags] {
grok {
match => { "message" => "%{SYSLOGBASE} %{CISCOFW710001_710002_710003_710005_710006}" }
match => { "message" => "%{SYSLOGBASE} %{CISCOFW106023}" }
}
}
}
output {
if "winlogbeat" in [tags] {
amazon_es {
#hosts => ["http://localhost:9200"]
hosts => ["search-zzzzzzz-zzzzzz-zzzzzzzzzzzzzzzzzzzzzz.ap-southeast-2.es.amazonaws.com"]
region => "ap-southeast-2"
aws_access_key_id => 'zzzzzzzzzzzzzzzzzzzzzz'
aws_secret_access_key => 'zzzzzzzzzzzzzzzzzzzzzzzzzz'
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
if "syslog" in [tags] {
amazon_es {
hosts => ["search-zzzzz-zzzzz-zzzzzzzzzzzzzzzzzz.ap-southeast-2.es.amazonaws.com"]
region => "ap-southeast-2"
aws_access_key_id => 'zzzzzzzzzzzzzzzzz'
aws_secret_access_key => 'zzzzzzzzzzzzzzzzzzzz'
index => "syslog-%{+YYYY.MM.dd}"
document_type => "syslog"
}
}
}
Question
Am i on the right track with conditionals and how the 4 files fit together?