Work with Environment Variables in logstash.conf / if condition

Flo_B · November 8, 2016, 8:59am

Hey,

i try to configure a 2nd output for "special" Data in logstash.

First a tagged the special data in a filter:

grok {
match => { "source" => "%{GREEDYDATA}/specialservice/%{GREEDYDATA}_access.log" }
add_field => { "special_output" => "YES" }
}

But now i get in trouble, by working with conditions in the output area:
if "true" == "true" {
if "YES" in [special_output] {
syslog {
host => "192.168.0.100"
facility => "log audit"
port => "20750"
severity => "informational"
}
}
}

Can this even work? In my syslog-ng Backend there are not Data. In mein ElasticSearch DB i can sea the extra field "special_output" : "YES", but it thems that logstash is never using my syslog backend...

Any Ideas?

magnusbaeck · November 8, 2016, 9:57am

This should work. I'd consult the Logstash logs to look for clues about what's happening with the syslog output (whether it's executing at all). It might be necessary to increase the log level to see anything interesting.

Flo_B · November 8, 2016, 1:07pm

Hey Magnus,

thank you for your help.

I had to change some things:

protocol => "tcp"
rfc => "rfc5424"

My syslog Backend cannot reveive data via udp and rfc3164, which is the default value.

Regards,
Florian

system · December 6, 2016, 1:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash filter fields in if conditions Logstash	5	19752	August 25, 2020
Conditional statement in output Logstash	6	13624	March 18, 2017
Output data in multiple indices based on fields Logstash	3	2919	January 15, 2018
Logstash output condition to filter a string in syslog Logstash	2	457	July 12, 2020
Logstash output conditions doesn't works Logstash	2	1386	July 6, 2017

Work with Environment Variables in logstash.conf / if condition

Related topics