I'm using a logstash-utm.conf file to process syslog data from a firewall, this is working fine.
I also want to send data from winlogbeat on a windows server to logstash, is it best practice to add new input and output to the existing logstash-utm.conf?
This is my current conf file:
input {
tcp {
port => 5140
}
udp {
port => 5140
}
}
You can have many instances of the same input in one config but obviously they can't "step on each others toes" i.e. have the same listening port, reading the same files or fetching the same records.
You should consider using the type setting. It will add a field called type that you can use in conditionals to apply some logic to one source and not the other.
Also you can use multiple pipelines in one instance to separate the concerns. Two input + filter pipelines can feed into a common output pipeline. Here is the link to the multi-pipeline docs
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.