Apache2 AND Nginx logs, store in same index or separate?

I'm working on web monitoring for a couple different services, some servers are Apache2 based, and some are Nginx based. Trying to figure out how to store the different document types.

I'm thinking the proper route would be to normalize both types of incoming logs in Logstash and store the both in a single "webservers-*" index. That would make for simpler reporting, monitoring and dashboards. If i needed apache2 specific reports or nginx reports, I could just query only against documents tagged as such.

But every time something seems dead obvious to me lately, it turns out I'm thinking about it wrong. Which is why I thought I'd ask here how you guys go about it?

Depends on how similar the formats end up, but you probably could put them together.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.