Different Logs to Different ELK Stacks

Tony_Chirillo · September 29, 2017, 4:54pm

Is it possible to configure an instance of Winlogbeat to send different logs to different elk stacks? If no, how would such be accomplished? Would that require the installation of multiple instances of Winlogbeat on servers?

andrewkroh · September 29, 2017, 5:00pm

Beats cannot route events to different clusters. You can use Logstash to route events.

                +------>  ES
 WLB  +-->  LS  |
                +------>  ES

In Logstash you can use a conditional statement to output to different elasticsearch instances.

output {
  if // some condition {
    elasticsearch {
      // ES cluster A
    }
  } else if // some other condition {
    elasticsearch {
      // ES cluster B
    }
  }
}

warkolm · September 29, 2017, 8:36pm

FYI we’ve renamed ELK to the Elastic Stack, otherwise Beats feels left out

system · October 27, 2017, 8:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.