Adding more logs to filebeat to export and on elk server to logstash to receive

pkhodaveissi · November 1, 2016, 8:15am

Hello
I have this starter config which derives from DigitalOcean and looks like this:
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

I like to add mysql slow query logs and tomcat logs, each from a different server to this config, how the approach would look like and how to handle two or more multiline pattern in input and then filter sections?
thanks a lot
Pierre

magnusbaeck · November 1, 2016, 8:25am

Set the document type on the Filebeat side and it'll get carried over to Logstash. Then add conditional filters to process events of different types in different ways.
Do multiline processing as close to the source as possible, i.e. do it in Filebeat and not in Logstash.

pkhodaveissi · November 1, 2016, 8:44am

thank you for your comment, is there any example showing how would the approach look like for each part, "Set the document type on the Filebeat side", "add conditional filters to process events of different types in different ways", "doing multiline processing in source" ?

magnusbaeck · November 1, 2016, 9:28am

how would the approach look like for each part, "Set the document type on the Filebeat side",

I believe the Filebeat option is named document_type. See its documentation.

"add conditional filters to process events of different types in different ways",

"doing multiline processing in source" ?

pkhodaveissi · November 1, 2016, 9:39am

thank you so much for your answer, I'll go through it step by step, to safe assure the first part, you mean input_type option, don't you?

magnusbaeck · November 1, 2016, 9:41am

you mean input_type option, don't you?

No, I really mean document_type.

pkhodaveissi · November 1, 2016, 9:46am

Found it (document_type) here: Filebeat Configuration Options