Logstash - put my pattern to the host

Question

My idea is to take some directories (mostly ip addresses) and put to the "host" so I will know that this log is from this host. Is it possible? I cannot find it at the documentation :(

The problem is that I have rsyslog on the clients and rsyslog on the server. On my server it looks like:

[root@logstash]# ls -al /var/log-remote/
total 12
drwxr-xr-x   3 root root 4096 Jun 20 09:50 .
drwxr-xr-x. 18 root root 4096 Jun 20 09:48 ..
drwx------   2 root root 4096 Jun 20 10:01 192.168.10.11 
drwx------   2 root root 4096 Jun 20 10:01 192.168.20.12 
drwx------   2 root root 4096 Jun 20 10:01 192.168.30.13
(...)

And my logstash configuration so far is:

input {
  file {
    type => "linux-syslog"
    path => [ "/var/log-remote/*/*.log" ]
  }
}

output {
  stdout {
    codec => rubydebug
  }
 elasticsearch {
    host => localhost
  }
}

The output that I have is:

{
       "message" => "Test",
      "@version" => "1",
    "@timestamp" => "2014-06-20T09:01:23.335Z",
          "type" => "linux-syslog",
          "host" => "0.0.0.0",
          "path" => "/var/log-remote/192.168.10.11/user.log"
}

My question again is that I would like to have in "host" => IP address of that client which is in this case: 192.168.10.11.

score 0 · Answer 1 · answered Jun 27 '14 at 11:51

0

The solution is to add grok:

grok { match => { 'path' => '%{PATH}/%{IP:host}' } overwrite => 'host' }

Thanks

answered Jun 27 '14 at 11:51

user3612491

223
3
7

Logstash - put my pattern to the host

1 Answers1