I'm fresh user of ELK, i would like to read logs from different files and use grok's filter only for certain log/file. My setup looks like this:
firewall logs -> rsyslog -> file -> filebeat -> logstash -> Elastic/Kibana
If i understand correctly i should add field in filebeat configuration and afterwards in logstash statemant # if [type] == "firewall" then .. and filter configuration
I couldn't find filebeat.yml config for that, i was trying like this:
- type: log enabled: true paths: - /var/log/fw/*.log fields: type: firewall - type: log enabled: true paths: - /var/log/sw/*.log - /var/log/pxy/*.log - /var/log/srv/*.log processors: - add_host_metadata: ~ - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ - add_fields: target: '' fields: name: type id: '999999999'
but it doesn't work. thanks for any help