How to configure ELK to receive logs from multiple servers

huzaifa224 · January 27, 2021, 3:02pm

I have multiple servers in which filebeat is installed and sending their logs to ELK.
In kibana multiple server's logs are showing on single logs page which is every complicated to identify which log is coming from which server! Is there any way to seprate each server logs from eachother.

Here is my logstash.config

#Specify listening port for incoming logs from the beats

input {
beats {
port => 5044
}
}

Used to parse syslog messages and send it to Elasticsearch for storing

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

Specify an Elastisearch instance

output {
elasticsearch {
hosts => ["localhost:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}

Badger · January 27, 2021, 4:32pm

filebeat will add a field containing the name of the host on which it runs. You can use that to filter to the logs in kibana.

huzaifa224 · January 27, 2021, 6:43pm

Can you please explain it more?

Badger · January 27, 2021, 7:01pm

It will depend on what version you are running. I believe filebeat used to add [host][name] by default, and that now it is conditional upon you configuring an add_host_metadata processor.

In kibana you can just filter using host.name: myHost.

system · February 24, 2021, 7:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.