Classifying different events using logstash

Hi,

We have log events from different sources:

  • windows
  • syslog
  • firewall
    -database
    etc

dumped into the same file from a legacy process.

event1 could be windows, event2 could be oracle etc.,

What would be the best way to classify and seperate different types of log events.

I attempted using logstash groks based on presence of specific elements in the events to route the events to different folders.

For example, ORACLE logs have ORA in the message

filter {
    grok {
        match => { "[log][file][path]" => "/tmp/log/%{WORD:type}/%{DATA}" }
    }
}

output{
      file {
        path => "/tmp/target/%{type}/%{+yyyy.MM.dd.HH}/log.out"
     }
}

The above will not cover all the scenarios.

Is there a cleaner approach to perform the same.

Thank you