0

I have a logstash instance with the following configuration (simplified):

input {
  redis { }
}

output {
  elasticsearch_http { }

  if [level] == "WARNING" or [level] == "ERROR" or [level] == "CRITICAL" or [level] == "ALERT" or [level] == "EMERGENCY" {
    if [type] == "specific type 1" {
      sentry { }
    } else if [type] == "specific type 2" {
      sentry { }
    } else if [type] == "specific type 3" {
      sentry { }
    }
  }
}

As you can see, every message goes to elasticsearch and based on the type it gets send to the sentry output (custom plugin I wrote to write messages to sentry). For each specific type I have a separate project in sentry and the sentry plugin is configured to know to which project it needs to send the message.

Everything is working except that messages get send to the wrong projects in senty. Occasionally, it seems like the if's are doing their job and messages end up in the correct project in sentry. But the majority of the time, messages get send to the first project.

Does anybody have any idea if there is something wrong with this configuration or how I can debug this? Because I'm really lost and can't see anything wrong with this.

iamBrecht
  • 81
  • 1
  • The config looks fine, however it appears you are using the same sentry output for each of the types, which makes your ifs useless. Is this the complete configuration or did you delete things? If it is, then this is likely your custom plugin having an error in the logic and we might need to see the sourcecode for that as well. – pandaadb Jun 17 '16 at 09:01
  • Well each sentry output is configured with a different key, secret and project id. So it should send the logs to the different projects. Maybe a stupid question, but am I correct to think that it is possible to use multiple outputs of the same type? The sentry outputs look like something like this: sentry { "key" => "key_for_project_1" "secret" => "secret_for_project_1" "project_id" => "id_for_project_1" } – iamBrecht Jun 20 '16 at 13:22
  • Judging from what I have seen (with filters - and I am not a core logstash dev so I might be wrong) they act sort of like singletons (warning: please check this statement before blindly believe me :) ). E.g. the aggregate filter when applied multiple times shares its class level variables. There's an easy way to test this. Have your sentry{} log the output key (which should be different for each of them) and check if it is indeed using different ones. – pandaadb Jun 20 '16 at 13:25

0 Answers0