Hi,
I just to wanted to check if we can configure Winlogbeat to send logs to multiple Logstash instances? I have two different Logstash instances which would then send logs to two different Elasticsearch clusters. So, I would need to send logs to two different Logstash instances. Do I need to use multiple winlogbet config files?
Please help me solve the issue.
Thanks
Hello @amruth,
Currently, Winlogbeat or any other beat doesn't support multiple output. You already have the Logstash infrastructure, you could use conditionals based on the data in the event to send it to the appropriate Elasticsearch cluster.
output {
if [field] == "s1" {
elasticsearch { ... } #cluster 1
} else {
elasticsearch{ ... } #cluster 2
}
}Hi Pier,
But Logstash-1 can't talk to Elasticsearch-2. They are independent clusters. What should I do now? Can't I use 2 different winlogbeat yml files ?
@amruth So your server has access to both of the cluster?
In that case, you could run two winlogbeat using different configuration and different path.data
This will use a bit more resource on the edge server.
It is for replication; both clusters have all the events?
I will try to explain it clearly..
So, Winlogbeat(on App server) needs to send logs to Logstash-1(which would then send logs to Elasticsearch-1 cluster) and also to Logstash-2(which would then send logs to Elasticsearch-2 cluster). Basically, all the logs on App server need to be sent to Elasticsearch-1 and Elasticsearch-2 clusters. And, these two clusters are independent which means even Logstash-1 can't reach Elasticsearch-2.
So, do I need to run two different Winlogbeats on App server?
@amruth Yes
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.