0

I would like to create two separate indexes for two different systems that are sending data to the logstash server setup for udp - syslog. In Elasticsearch, I created an Index called CiscoASA01 and another Index called CiscoASA02. How can I configure Logstash to filter all events coming from the first device to go into the CiscoASA01 index and the events coming from the second device to go to the second index? Thank you.

gmatteson
  • 69
  • 4
  • 11

1 Answers1

2

You can use if to separate the logs. Assume your first device is CiscoASA01 & second is CiscoASA02.

Here is the output

output {
    if [host] == "CiscoASA01"
    {
            elasticsearch {
                    host => "elasticsearch_server"
                    index => "CiscoASA01"
            }
    }

    if [host] == "CiscoASA02"
    {
            elasticsearch {
                    host => "elasticsearch_server"
                    index => "CiscoASA02"
            }
    }
}

The [host] is the field in logstash event. You can use it to separate the log to different output.

Hope this can help you.

Ban-Chuan Lim
  • 7,840
  • 4
  • 35
  • 52
  • 4
    It might be fun to try: index => "%{host}" – Alain Collins Jan 14 '15 at 03:17
  • Great thank you! Is there a way that I might be able to use a subnet variable instead of host? i.e. anything from subnet 192.168.1.x > use index1, 192.168.2.x > use index2? I suspect I would have to use regex to do this on the host variable? – gmatteson Jan 14 '15 at 21:42
  • Actually, what I can't seem to find information on, is in the output section of logstash, can I reference any field from the event? I added a new field in the filter area of the configuration i.e. "Device_Type" = switch, router, firewall etc. and in the output area, could I access that field? Thank you. – gmatteson Jan 14 '15 at 22:09
  • 1
    Yes, you can do what you need! The [host] is the event field. So, if you want to use "Device_Type", you can use this "if [Device_Type] == switch". – Ban-Chuan Lim Jan 15 '15 at 00:38