Hello everyone,
I want to send log of the "auth.log" file using system module of filebeat, and I have another file that I want to parse using logstash (as there is no module for that type of log).
And as I know, there is no possibility to enable both output logstash and Elasticsearch in filebeat. so I want to send both logs to logstash and then for the auth.log I won't apply any filter, and for the other logs I wll apply logstash filter
My question is:
Once the logs arrived to logstash input, How can I make the difference between the 2 sources of logs to be able to add tags to don't apply any filter to the auth.log file
beats {
port => "5044"
host => "10.10.10.1"
ssl => true
ssl_certificate_authorities => ["/etc/logstash/certs/ca.crt"]
ssl_certificate => "/etc/logstash/certs/logstash.crt"
ssl_key => "/etc/logstash/certs/logstash.pkcs8.key"
ssl_verify_mode => "force_peer"
type => "VYOS"
}
If I do that, it means all the logs coming from filebeat, will take the VYOS tag !
Could you please help me!
Thanks