I am trying to build a elk stack.
Under /etc/logstash/conf.d, I have several configration files, a.conf, b.conf.
How to start logstash and pass both of the files, or can I just pass the direcory ?
As documented you can just pass the directory. All files will effectively be concatenated, i.e. events from all inputs in a.conf will be processed by filters and outputs in both a.conf and b.conf. If you don't want that you need to use conditionals.
which way do we usually prefer ?
That's up to you, but I prefer passing a directory name to avoid having to maintain both the configuration files themselves and the list of their names.