I'm about to install an ELK stack for system logs. One of the systems I will stash events from is our VMware ESX farm, via syslog from ESX servers to VCenter server and then via Filebeat on the VCenter server to Logstash. The logs are in syslog style but does not follow the standard so I have to filter and format them in my Logstash pipeline.
I have a problem deciding if I should keep allt logs from all Filebeat shippers in the same index naming context or if I should use different index names for every log format? I'm leaning towards using system specific index names as the log formats will differ, but don't have enough experience to make an educated decision.
i.e. Should I use the default filebeat naming "filebeat-%{[@metadata][version]}-%{+YYYY.MM.dd}" and add a tag named "esx-servers" for easy filtering or should I use my own VMware ESX specific naming like "vmware-esx-%{[@metadata][version]}-%{+YYYY.MM.dd}" or something else?
What is best practise and pros/cons?