How to make difference between 2 source of logs in Logstash input

Hello everyone,

I want to send log of the "auth.log" file using system module of filebeat, and I have another file that I want to parse using logstash (as there is no module for that type of log).
And as I know, there is no possibility to enable both output logstash and Elasticsearch in filebeat. so I want to send both logs to logstash and then for the auth.log I won't apply any filter, and for the other logs I wll apply logstash filter

My question is:
Once the logs arrived to logstash input, How can I make the difference between the 2 sources of logs to be able to add tags to don't apply any filter to the auth.log file

   beats {
      port => "5044"
      host => ""
      ssl => true
      ssl_certificate_authorities => ["/etc/logstash/certs/ca.crt"]
      ssl_certificate => "/etc/logstash/certs/logstash.crt"
      ssl_key => "/etc/logstash/certs/logstash.pkcs8.key"
      ssl_verify_mode => "force_peer"
      type => "VYOS"

If I do that, it means all the logs coming from filebeat, will take the VYOS tag !

Could you please help me!

You can use the fields option of a filebeat log input to tag the different types of data.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.