Hello everyone,
Am using the filebeat for Suricata & ES server. Now my colleague have decided to use filebeat as well. But they are using a completely different setup. I have been attempting to set different configurations in conf.d. However it won't accept multiple output servers as far as i can see.
My question:
What would be the best way to configure filebeat to read two different logs and output to two different servers?
Hi Eddie,
You can find info on how to configure multiple logs here:
https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html
For the ES output you can use the hosts option, which is a list of strings:
https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html#hosts-option
Thanks for you response but perhaps I wasn't clear enough.
Server1 has apache and suricata logs.
Apache logs need to end up on logstash_server_1 and there after ES_server 1
Suricata logs need to end up on logstash_server_2 and there after ES_server 2
The options for multiple servers is for cluster servers. But in this case the servers are not in a cluster. And data needs to remain separate.
I think you can use 2 config files and run seperate filebeat instances for each config file..
one filebeat instance will be started with the config file having Apache logs need to end up on logstash_server_1 and there after ES_server 1
and second filebeat instance will be started with the config file having Suricata logs need to end up on logstash_server_2 and there after ES_server 2
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.