How to differentiate between server logs in logstash?


First of all i'm not sure it this is the right place to post this, but i'll give it a shot.

I've several windows servers running filebeat sending IIS logs to logstash. I need some way to differentiate between them to be able to tell which server sent which log so that I at some time later in Kibana can view data from "all logs from server X". What's a good solution to this?

An example would be greatly appreciated.

Logstash configuration:

input {
beats {
port => 5044
filter {
grok {match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:userAgent} %{NOTSPACE:referer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:timetaken}"]

output {
elasticsearch {
hosts => ["http://X.X.X.X:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"

Best regards
Rasmus Gärdekrans

By default filebeat will include metadata about which host it is running on and which file it is reading in the events that it sends to logstash. So you should already have this ability.

Thanks for you reply!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.