How to separate devices/logfiles

ELK212 · May 19, 2020, 1:13pm

Hello,

I just want to know how a logical separation should/could look like for different types of devices.

Let's say I have a bunch of switches and a bunch of servers which can send syslog messages.
How should I separate them in Elasticsearch (two groups: switches and servers)? How could this look like in the logstash configuration? Are there any guidelines?

Is there any function I can group devices? Maybe lets say all devices in a specific range will get index "X" and other ones get index "Y"?

Regards
ELK212

warkolm · May 19, 2020, 11:07pm

You could do that with a conditional block and then add a tag to the event with mutate. That'd be the easiest way I can think of.

Feedy · May 19, 2020, 11:24pm

Are you using filebeat to send logs to Logstash?

system · June 16, 2020, 11:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.