How to tag log files in filebeat for logstash ingestion?

The first part is correct on its own, but you may want to change it based on how you intend to write your Logstash config.

The second part won't work. You cannot override the type field once it's set. This is documented here. If you want to change the type then set document_type: access in your Filebeat configuration.

Here's an example Logstash config based on the Filebeat config you gave:

Filebeat:

filebeat:
  prospectors:
    - paths:
        - /path/to/logs/access.log
      fields:  {log_type: access}
    -   
      paths:
        - /path/to/other/logs/errors.log
      fields: {log_type: errors}

Logstash:

input {
  beats {
    port => 5044
  }
}

filter {
  if [fields][log_type] == "access" {
    mutate {
      add_field => { "foo" => "var" }
    }
  }
}

output {
  stdout { codec => rubydebug{} }
}
4 Likes