Logstash Network Filter

rodigl · July 27, 2021, 9:02am

How can I filter logs by network. Example. 3 networks with several vm. Everyone sends logs over syslog on port 514 to logstash.

Something like this logstash.conf

input {
  syslog {
    port => 514
  }
}
filter {
  if [network] == 10.10.10.0/24
    add_tag => ["index1"]
  else {
    if [network] == 10.10.11.0/24
      add_tag => ["index2"]
    else {
      add_tag => ["index3"]
    }
  }
}
output {
  if [tag] == "index1" {
    elasticsearch {
      index => index1
  }
}
  else {
    if [tag] == "index2" {
	  elasticsearch {
      index => index2
  }
}
	else {
	  elasticsearch {
      index => index3
      }
    }
  }
}

Can someone explain how to do this or attach a link for an example.

Topic		Replies	Views
How to send logs from specific source to specific index Index Management configure	1	549	April 15, 2022
Logs from network devices not shown in kibana? Open Source Elasticsearch and Kibana	5	1545	August 13, 2021
Logstash - how to classify incoming syslog messages OpenSearch	0	424	October 29, 2022
Index alias for multiple indices Index Management	6	4976	July 31, 2020
Using different Index names in Output logstash Open Source Elasticsearch and Kibana	3	1925	May 19, 2021

Logstash Network Filter

Related topics