I've got a log stash forward (LSF) agent that sends 2 kinds of logs to a Logstash central agent (version 2.2). These logs are multilines but not with the same pattern..
In the LSF the config file is like that :
{ "network": {
"servers": [ "server1:77009" ],
"timeout": 15,
"ssl ca": "logstashforwader.jks" }, "files": [
{
"paths": [
"/dir1/log1"
],
"fields": { "type": "type1",
"environment": "env1" }
},
{
"paths": [
"/dir2/log2"
],
"fields": { "type": "type2",
"environment": "env1" }
} ]}
In the logstash central I'd like to apply the good pattern for the good type something like that :
input {if [type] == "type1" { lumberjack {
host => "@IP"
port => "77009"
ssl_certificate => "/logstash-forwarder.crt"
ssl_key => "/logstash-forwarder.key"
codec => multiline {
pattern => "^%{DATE_EU}"
max_lines => 750
negate => true
what => previous
}
}} else if [type] == "type2" { lumberjack {
host => "server1"
port => "77009"
ssl_certificate => "logstash-forwarder.crt"
ssl_key => "/logstash-forwarder.key"
codec => multiline {
pattern => "^<"
negate => true
what => previous
}
}}}
But it doesn't work ... Is it the best way (or is it possible to put an "or" in the pattern line ?)
After I'll apply different grok on each "type".
You can't use conditionals on inputs.
You can use an or ("|") in your multiline pattern to support both inputs.
You could also use two different ports and send each input to a different port.