Filebeat with Nginx, how to differentiate 2 files?

gabriel_tessier · October 10, 2017, 10:42am

Good evening,

I use Filebeat for nginx files with ingest, here my filebeat config file:

{
  "output.elasticsearch": {
    "hosts": [
      "172.16.1.3:9200"
    ],
    "template.enabled": false,
    "index": "prod-%{+yyyy.MM.dd}"
  },
  "filebeat.modules": [
    {
      "access": {
        "enabled": true,
        "var.paths": [
          "/var/log/nginx/access-http.log",
          "/var/log/nginx/access-https.log",
        ],
        "encoding": utf-8
      },
      "module": "nginx"
    }
  ],
  "logging.to_files": false,
  "logging.files": null,
  "tags": ["prod", "service_prod"]
}

Everything work perfectly, I receive the content of both files in my index, my problem is how can I make a difference between the data coming from access-http and the data from access-https?
I tried several key like "document-type", "input-type" duplicate the "access" key inside modules array, also tried to define prospector key, I didn't get error but the value in kibana (and elastic) for type field is always log!!

Which key I need to define to differentiate the data coming from this 2 files, where and what to split to do it?

Thanks for any help.

ruflin · October 10, 2017, 11:37am

You should have a field source in each event which contains the full file path.

gabriel_tessier · October 11, 2017, 2:15am

Yes, you are great!! Big thanks.

I need new glasses!

system · November 8, 2017, 2:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.