Filebeat自定义字段上的Logstash条件逻辑

Question

I'm new to ELK stack and am starting out by pushing the IIS logs on my Windows Server 2012 application server to Elastic Search using Filebeat and Logstash.

I plan on extending this so that it also pushes up custom application logs which are written by our applications (as opposed to IIS). To do this I'll need to differentiate one type of log from another in Logstash.

So in filebeat.yml I have added a custom field called "log_type":

  type: log
  enabled: true
  paths:
     - C:\inetpub\logs\LogFiles\*\*
  fields:
    log_type: iis

In my Logstash I'm trying to perform some conditional logic based on the value of "log_type" but it's not working. If I remove the conditional logic the filter works.

filter {
  if [fields.log_type] == "iis" {
    grok {
      match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NOTSPACE:referer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:timetaken:int}"}
    }
    date {
        match => [ "log_timestamp", "ISO8601" ]
        target => "@timestamp"
    }
  }
}

I've searched and searched but can't find out how to do this. Would really appreciate some help.

Answer 1

To access the field in Logstash the syntax should be [fields][log_type] rather than [fields.log_type] .

Reference

• Logstash Field References

Answer 2

Do you have this line in your configuration? fields_under_root: true . If yes, you can try simply [log_type] , without any prefixes.