The first part is correct on its own, but you may want to change it based on how you intend to write your Logstash config.
The second part won't work. You cannot override the type
field once it's set. This is documented here. If you want to change the type
then set document_type: access
in your Filebeat configuration.
Here's an example Logstash config based on the Filebeat config you gave:
Filebeat:
filebeat:
prospectors:
- paths:
- /path/to/logs/access.log
fields: {log_type: access}
-
paths:
- /path/to/other/logs/errors.log
fields: {log_type: errors}
Logstash:
input {
beats {
port => 5044
}
}
filter {
if [fields][log_type] == "access" {
mutate {
add_field => { "foo" => "var" }
}
}
}
output {
stdout { codec => rubydebug{} }
}