How to handle multiple beats in Logstash


(A G) #1

Hello,

I am running winlogbeat for windows event logs and filebeat on Linux for audit logs and syslogs. However I would like to index windows event logs, Linux Audit logs and sys logs separately in Elasticsearch.

My logstash.conf file is something like below.

input {
beats {
port => 5044
client_inactivity_timeout => 599
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

output {
if [source] == "/var/log/audit/audit.log" {
elasticsearch {
hosts => ["localhost:9200"]
index => "linux-audit-logs"
}
}
else if [source] == "/var/log/messages" {
elasticsearch {
hosts => ["localhost:9200"]
index => "linux-sys-logs"
}
}
else if [type] == event_logs{
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "windows-event-logs"
}
}
}

However I can only see two indices in Elasticsearch linux-sys-logs and linux-audit-logs and not event logs. Not sure what mistake I am making here.

Thanks,


(Magnus Bäck) #2

How do you know that the Winlogbeat events actually have "event_logs" in the type field?


(A G) #3

Not sure, I though event_logs is a type. I am looking for a way to index separately based on some field or a tag.

something like this..

if beat is metric
{}
else if beat is winlog
{}
else if beat is filebeat
{}

Thanks,
Charan


(Magnus Bäck) #4

I suggest you add

} else {
  stdout { codec => rubydebug }
}

to the end of you output block so that events that don't match any of the conditions are dumped to stdout. Then you'll see which fields you can use in your condition.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.