As of now, I am using Docker compose to set up an image of Logstash. Here is my use case:
I have Filebeat installed on 5 machines, each with different log paths and log formats. Instead of having one logstash.conf file that processes everything (with [tags] and 'else if' statements), I would like to decompose that into multiple .conf files.
I did look into pipeline.yml, but I was confused on how Logstash will be able to figure out that a certain filebeat instance should be using a certain configuration file. Is the pipeline.id something I need to specify in Filebeat? Any help would be much appreciated.
If you run five completely independent pipelines, then each one would listen on a different port, so the logstash.output would be different in each filebeat instance.
This would merge all the configuration files and run just one pipeline.
What you could try is to combine multiple pipelines with the pipeline-to-pipeline communication, more specific the distributor pattern.
You would have one pipeline with just one port listening to your beats, then you would need to use a conditional to filter your output and send them to the other pipelines.
This way you will have 3 pipelines, the first one would just receive data from beats and output it to the other pipelines where you will have your filters and your final output.
There is nothing wrong in having just one pipeline and point the config to a folder with multiple files, but since you have multiple different formats of logs, you would need to have conditionals for both your filters and outputs, but it is up to you what will work best.
The multiple pipelines has the advantage of completely isolated the pipelines, you are at no risk of the events from one pipeline ending up in the output of another pipeline, this can happen if you point to a folder with multiple files and have a misconfigured conditional.
Sorry one last question, would I leave my other .config files (abc.config and xyz.config) in the same format (input, filter, then output)?
I assume I would be taking out the input portion of the configuration as that is being processed by main.config, but leave the filter and output configuration the same.
Every logstash config file needs an input and output block, the filter is optional.
As the example in the documentation shows, if you have an output that is sending the events to another pipeline, then you need another pipeline with the pipeline input to receive the events.
For example, to receive that that is being send to the xyz-pipeline, you will need this input.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.