如何使用相同的LSF将两种不同类型的日志（具有不同的模式）发送到一个logstash central_Logstash_Multiline_Logstash Forwarder

如何使用相同的LSF将两种不同类型的日志（具有不同的模式）发送到一个logstash central

logstash

如何使用相同的LSF将两种不同类型的日志（具有不同的模式）发送到一个logstash central,logstash,multiline,logstash-forwarder,Logstash,Multiline,Logstash Forwarder,我有一个LogStashForward（LSF）代理，它向LogStashCentral代理（版本2.2）发送两种日志。这些日志是多行的，但模式不同在LSF中，配置文件如下所示： { "network": { "servers": [ "server1:77009" ], "timeout": 15, "ssl ca": "logstashforwader.jks" }, "files": [ { "paths": [ "/dir1/log1" ],

我有一个LogStashForward（LSF）代理，它向LogStashCentral代理（版本2.2）发送两种日志。这些日志是多行的，但模式不同

在LSF中，配置文件如下所示：

{ "network": {
"servers": [ "server1:77009" ],
"timeout": 15,
"ssl ca": "logstashforwader.jks"  },  "files": [
{
  "paths": [
   "/dir1/log1"
            ],
  "fields": { "type": "type1",
    "environment": "env1" }
},
{
  "paths": [
   "/dir2/log2"
            ],
        "fields": { "type": "type2",
    "environment": "env1"  }
}   ]}

input {if [type] == "type1" { lumberjack {
    host => "@IP"
    port => "77009"
    ssl_certificate => "/logstash-forwarder.crt"
    ssl_key => "/logstash-forwarder.key"
            codec => multiline {
            pattern => "^%{DATE_EU}"
            max_lines => 750
            negate => true
            what => previous
            }
    }} else if [type] == "type2" { lumberjack {
    host => "server1"
    port => "77009"
    ssl_certificate => "logstash-forwarder.crt"
    ssl_key => "/logstash-forwarder.key"
            codec => multiline {
            pattern => "^<"
            negate => true
            what => previous
            }
    }}}

在logstash central中，我想将良好模式应用于良好类型，例如：

{ "network": {
"servers": [ "server1:77009" ],
"timeout": 15,
"ssl ca": "logstashforwader.jks"  },  "files": [
{
  "paths": [
   "/dir1/log1"
            ],
  "fields": { "type": "type1",
    "environment": "env1" }
},
{
  "paths": [
   "/dir2/log2"
            ],
        "fields": { "type": "type2",
    "environment": "env1"  }
}   ]}

input {if [type] == "type1" { lumberjack {
    host => "@IP"
    port => "77009"
    ssl_certificate => "/logstash-forwarder.crt"
    ssl_key => "/logstash-forwarder.key"
            codec => multiline {
            pattern => "^%{DATE_EU}"
            max_lines => 750
            negate => true
            what => previous
            }
    }} else if [type] == "type2" { lumberjack {
    host => "server1"
    port => "77009"
    ssl_certificate => "logstash-forwarder.crt"
    ssl_key => "/logstash-forwarder.key"
            codec => multiline {
            pattern => "^<"
            negate => true
            what => previous
            }
    }}}

输入{if[type]==“type1”{伐木工人{
主机=>“@IP”
端口=>“77009”
ssl\U证书=>“/logstash forwarder.crt”
ssl_key=>“/logstash forwarder.key”
编解码器=>多行{
模式=>“^%{DATE\u EU}”
最大线=>750
否定=>true
什么=>以前的
}
}}如果[type]=“type2”{伐木工人{
主机=>“服务器1”
端口=>“77009”
ssl_证书=>“logstash forwarder.crt”
ssl_key=>“/logstash forwarder.key”
编解码器=>多行{
pattern=>“^不能对输入使用条件
您可以在多行模式中使用或（“|”）来支持这两种输入
您还可以使用两个不同的端口，并将每个输入发送到不同的端口。
我在多行模式中添加了“|”，效果非常好！！Thx好消息。您有可能接受答案吗？