Create dynamic indexes in Logstash with the Gelf logback appender

Question

I'm using logback for logging together with biz.paluch.logging.gelf.logback.GelfLogbackAppender. I have 3 services running currently and I want 2 of them to have the output in logstash as logstash-ingest and the other one as logstash-digest. Example:

I want these two to have the index logstash-ingest

Service 1

<!DOCTYPE configuration>

<configuration>
    <contextName>test</contextName>
    <jmxConfigurator/>
    <appender name="gelf" class="biz.paluch.logging.gelf.logback.GelfLogbackAppender">
        <host>udp:localhost</host>
        <port>12201</port>
        <version>1.1</version>
        <extractStackTrace>true</extractStackTrace>
        <filterStackTrace>true</filterStackTrace>
        <timestampPattern>yyyy-MM-dd HH:mm:ss,SSS</timestampPattern>
        <maximumMessageSize>8192</maximumMessageSize>

        <param name="AdditionalFields" value="tag=example1-api,INDEX_PREFIX=ingest" />
        <param name="AdditionalFieldTypes" value="tag=String,INDEX_PREFIX=String" />

        <dynamicMdcFields>(field1|field2)</dynamicMdcFields>
    </appender>

    <logger name="com.example1" level="INFO" />

    <root level="INFO">
        <appender-ref ref="gelf" />
    </root>
</configuration>

Service 2

<!DOCTYPE configuration>

<configuration>
    <contextName>test</contextName>
    <jmxConfigurator/>
    <appender name="gelf" class="biz.paluch.logging.gelf.logback.GelfLogbackAppender">
        <host>udp:localhost</host>
        <port>12201</port>
        <version>1.1</version>
        <extractStackTrace>true</extractStackTrace>
        <filterStackTrace>true</filterStackTrace>
        <timestampPattern>yyyy-MM-dd HH:mm:ss,SSS</timestampPattern>
        <maximumMessageSize>8192</maximumMessageSize>

        <param name="AdditionalFields" value="tag=example2-api,INDEX_PREFIX=ingest" />
        <param name="AdditionalFieldTypes" value="tag=String,INDEX_PREFIX=String" />

        <dynamicMdcFields>(field1|field2)</dynamicMdcFields>
    </appender>

    <logger name="com.example2" level="INFO" />

    <root level="INFO">
        <appender-ref ref="gelf" />
    </root>
</configuration>

and the third one logstash-digest

Service 3

<!DOCTYPE configuration>

<configuration>
    <contextName>test</contextName>
    <jmxConfigurator/>
    <appender name="gelf" class="biz.paluch.logging.gelf.logback.GelfLogbackAppender">
        <host>udp:localhost</host>
        <port>12201</port>
        <version>1.1</version>
        <extractStackTrace>true</extractStackTrace>
        <filterStackTrace>true</filterStackTrace>
        <timestampPattern>yyyy-MM-dd HH:mm:ss,SSS</timestampPattern>
        <maximumMessageSize>8192</maximumMessageSize>

        <param name="AdditionalFields" value="tag=example3-api,INDEX_PREFIX=digest" />
        <param name="AdditionalFieldTypes" value="tag=String,INDEX_PREFIX=String" />

        <dynamicMdcFields>(field1|field2)</dynamicMdcFields>
    </appender>

    <logger name="com.example3" level="INFO" />

    <root level="INFO">
        <appender-ref ref="gelf" />
    </root>
</configuration>

This is my logstash.conf but I'm not sure how to configure it in order to use the INDEX_PREFIX to distinguish the output of these three services.

input {

  gelf {
    id => "gelf"
    use_udp => true
    use_tcp => false
  }
}

## filters???

output {
    elasticsearch {
        hosts => ["es01:9200"]
        user => "elastic"
        password => "changeme"
        index => "logstash-{%}" ## what am I missing here?
    }
}

score 0 · Answer 1 · answered Jul 02 '21 at 11:46

I must have tweaked on the configs for too long and changed too many things and at the end didn't know what actually works. Next day, with a clear mind, tried again and apparently the answer to my question is index => "logstash-%{INDEX_PREFIX}" I'm pretty sure I tried this, but probably in combination with other stuff that had failed.

Create dynamic indexes in Logstash with the Gelf logback appender

1 Answers1