This seems to be related to your previous question, please avoid opening duplicate questions.
If you want data from your syslog file to go th the syslog-YYYY.MM.dd index and data from your cron file to go to the cron-YYYY.MM.dd index, the best approach is to use multiple pipelines.
You will need one pipeline for your syslog file and another one to your cron file.
For example, you can have a syslog.conf and cron.conf
syslog.conf
input {
file {
id => "TEST-Syslog"
path => [ "/var/log/syslog" ]
}
}
output {
elasticsearch {
id => "TEST-output-Syslog"
hosts => [ "127.0.0.1" ]
index => "syslog-%{+YYYY.MM.dd}"
}
}
and
cron.conf
input {
file {
id => "TEST-Cron"
path => [ "/var/log/cron.log" ]
}
}
output {
elasticsearch {
id => "TEST-output-Cron"
hosts => [ "127.0.0.1" ]
index => "cron-%{+YYYY.MM.dd}"
}
}
Then you should update your pipelines.yml to this one:
- pipeline.id: syslog
path.config: "/etc/logstash/conf.d/syslog.conf"
- pipeline.id: cron
path.config: "/etc/logstash/conf.d/cron.conf"