I'm working on web monitoring for a couple different services, some servers are Apache2 based, and some are Nginx based. Trying to figure out how to store the different document types.
I'm thinking the proper route would be to normalize both types of incoming logs in Logstash and store the both in a single "webservers-*" index. That would make for simpler reporting, monitoring and dashboards. If i needed apache2 specific reports or nginx reports, I could just query only against documents tagged as such.
But every time something seems dead obvious to me lately, it turns out I'm thinking about it wrong. Which is why I thought I'd ask here how you guys go about it?