Work with Environment Variables in logstash.conf / if condition

Flo_B · November 8, 2016, 8:59am

Hey,

i try to configure a 2nd output for "special" Data in logstash.

First a tagged the special data in a filter:

grok {
match => { "source" => "%{GREEDYDATA}/specialservice/%{GREEDYDATA}_access.log" }
add_field => { "special_output" => "YES" }
}

But now i get in trouble, by working with conditions in the output area:
if "true" == "true" {
if "YES" in [special_output] {
syslog {
host => "192.168.0.100"
facility => "log audit"
port => "20750"
severity => "informational"
}
}
}

Can this even work? In my syslog-ng Backend there are not Data. In mein ElasticSearch DB i can sea the extra field "special_output" : "YES", but it thems that logstash is never using my syslog backend...

Any Ideas?

magnusbaeck · November 8, 2016, 9:57am

This should work. I'd consult the Logstash logs to look for clues about what's happening with the syslog output (whether it's executing at all). It might be necessary to increase the log level to see anything interesting.

Flo_B · November 8, 2016, 1:07pm

Hey Magnus,

thank you for your help.

I had to change some things:

protocol => "tcp"
rfc => "rfc5424"

My syslog Backend cannot reveive data via udp and rfc3164, which is the default value.

Regards,
Florian

system · December 6, 2016, 1:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.