I'm new user of Elasticsearch, Kibana, Logstash and Filebeat, but have managed to install an environment and can send logs from my servers to the Logstash, which parses and forwards these to Elasticsearch.. So far so good..
I'm almost ready to put this setup into production - but am missing some information to ensure I've done everything the "right way".
We will be using the ElasticStack as centralized log server (For kind of backup but also for our operations team to daily access logs across all systems)
The part I am most in doubt of is the "Indices"? What is best practice here? Will one fit all or must I split them into...? Servers, Log types or ?
Right now I've been testing with a single one named logstash-*
We will be shipping a big varieties of log files to the ElasticStack (Rails logs, debian logs, java logs and also custom logs)
Please advice for some good resources and use cases for when to split into indices and when not to.