Custom Parsing #1587
-
|
Hi Guys - great work on GA release Is there a way to add custom parsing through elasticsearch pipelines? We can create new pipelines under elasticsearch/ingest, but we cant reference it from any existing pipeline files or create a new output logstash pipeline - both are reverted when the container is restarted. Glenn |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
|
Security onion using salt for configuration, you need to add your new logstash pipline under /opt/so/saltstack/local/salt/logstash/pipeline/config/so The /opt/so/saltstack/local and /opt/so/saltstack/default are syncronized every 15 minutes to /opt/so/conf (you can do it manualy with salt command state.apply), when the default path is the basic SO configuration, and the local path is where you can add customizations. Eventually, all dockers containers mounting on directories in /opt/so/conf (you can look at logstash docker run command in salt init file: |
Beta Was this translation helpful? Give feedback.
-
|
This was extremely helpful idolamon - thank you! |
Beta Was this translation helpful? Give feedback.
-
|
We plan on updating the documentation on this very soon. You want to avoid making modifications to anything in default. |
Beta Was this translation helpful? Give feedback.
Security onion using salt for configuration, you need to add your new logstash pipline under /opt/so/saltstack/local/salt/logstash/pipeline/config/so
And copy the pillar file: /opt/so/saltstack/default/logstash/search.sls
to
/opt/so/saltstack/local/logstash/search.sls
and then edit it, and add your new output there.
The /opt/so/saltstack/local and /opt/so/saltstack/default are syncronized every 15 minutes to /opt/so/conf (you can do it manualy with salt command state.apply), when the default path is the basic SO configuration, and the local path is where you can add customizations.
Eventually, all dockers containers mounting on directories in /opt/so/conf (you can look at logstash docker …