Hi all,
I have beats installed on my logstash instance. My idea is to collect multiple logs using filebeat modules -> send it to logstash on port 5044 -> send it to elasticsearch.
Can I add tags in each of the filebeat module yml files?
For eg, Juniper module with "juniper" tag, sophos module with "sophos" tag
This was I can use the tags to send the logs to different indexes
If you use a filebeat module there is already a field that defines which module / dataset it is which can be used for sorting / conditionals in Logstash.
event.dataset
Also in a module you should be able to add tags as an input configuration.
- module: sophos
xg:
enabled: true
input.tags: ["sophos"]
var.input: udp
...
Hi @stephenb
Thank you for your reply. Pardon me, I am new to the ELK stack. Could you give an example of how we could use the event.dataset field in logstash?
Ideally I would want to use the event.dataset field to send logs to different indexes for different filebeat modules.
I suggest you do a little reading about Logstash configurations then open specific questions.
if [event][dataset]
Hi @stephenb ,
It is perfectly clear now! Thank you very much for pointing out event.dataset. Exactly what I was looking for 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.