Wrong ElasticSearch template being used

Dualnames · October 8, 2015, 1:21am

I am not sure if this is the correct forum for this but I am having issues with one of my logstash configurations when it is sent to elasticsearch. I am brand new to ELK and still learning how everything works.

So far, I have 2 logstash configurations setup, one is for NetFlow data and the other is for local logs (I am also using packetbeat but I don't think that is related). So, the NetFlow template works great for the NetFlow data but my issue is that when I send the local logs to Elasticsearch, it is trying to use the NetFlow template for the local logs aswell.

I am testing this with CentOS on /var/log/messages so it is typical syslog messages. I tried setting up a Grok filter but I don't even know if that is necessary (also it didn't help). Below is my configurations:

Local logs (syslog)

NetFlow

My templates wouldn't fit into the body: http://coriewhite.me/elasticsearchtemplates.html

Please let me know if you guys need any further information and thank you in advanced for the help!

warkolm · October 8, 2015, 1:29am

How are you defining the Netflow template?
Also are you merging these configs?

Dualnames · October 8, 2015, 1:33am

Well, the configs are in separate files:

Not sure what you mean by defining NetFlow template but it's under the _templates like so:

curl -XGET localhost:9200/_template/logstash_netflow5?pretty

warkolm · October 8, 2015, 1:35am

Even though these are different files, they get merged by LS at run time.
So you need to add a conditional to the output to make sure each message goes to it's correct config.

Dualnames · October 8, 2015, 1:38am

Oo thank you! Sounds like you know what's going on. Er, do you have an example on how to do this though or a link related to this?

This is my Kibana results: http://coriewhite.me/locallog.png

Dualnames · October 8, 2015, 2:19am

I got it working! Thanks!