I have multiple servers in which filebeat is installed and sending their logs to ELK.
In kibana multiple server's logs are showing on single logs page which is every complicated to identify which log is coming from which server! Is there any way to seprate each server logs from eachother.

Here is my logstash.config

#Specify listening port for incoming logs from the beats

input {
beats {
port => 5044
}
}

Used to parse syslog messages and send it to Elasticsearch for storing

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

Specify an Elastisearch instance

output {
elasticsearch {
hosts => ["localhost:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}

filebeat will add a field containing the name of the host on which it runs. You can use that to filter to the logs in kibana.

Can you please explain it more?

It will depend on what version you are running. I believe filebeat used to add [host][name] by default, and that now it is conditional upon you configuring an add_host_metadata processor.

In kibana you can just filter using host.name: myHost.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.