How to separate devices/logfiles

ELK212 · May 19, 2020, 1:13pm

Hello,

I just want to know how a logical separation should/could look like for different types of devices.

Let's say I have a bunch of switches and a bunch of servers which can send syslog messages.
How should I separate them in Elasticsearch (two groups: switches and servers)? How could this look like in the logstash configuration? Are there any guidelines?

Is there any function I can group devices? Maybe lets say all devices in a specific range will get index "X" and other ones get index "Y"?

Regards
ELK212

warkolm · May 19, 2020, 11:07pm

You could do that with a conditional block and then add a tag to the event with mutate. That'd be the easiest way I can think of.

Feedy · May 19, 2020, 11:24pm

Are you using filebeat to send logs to Logstash?

system · June 16, 2020, 11:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to create separate index for separate devices? Logstash	7	583	April 17, 2018
How separate the logs each device Beats	5	1870	May 23, 2017
Seperate filebeats for different groups of servers Elasticsearch elastic-stack-security	5	532	August 28, 2020
Rsyslog to logstash help Logstash	4	1365	December 17, 2017
If I have syslogs from multiple types of devices and multiple ILM policies, how should I structure these? Elasticsearch	1	323	October 14, 2019

How to separate devices/logfiles

Related topics