From the start, Ive implemented the Elastic Stack using Logstash as the reciever and sender of logs to Logstash.
Ive always implemented it using various pipelines. Each pipeline is organized by a different configuration file.
This causes me on the Elastic Stack server (one node) to have to open a port for each of my pipelines and configurations.
One case that I have been discussing with a coworker are syslog files.
Since each provider sends syslogs in a different format, I have a configuration file for each one, filter them as needed and output to a Elasticsearch index.
The other way this could be done is having one file, listening on just one port and inside, add a lot filters so each one is mutated in its own way. Similar, in the output section, I send them to each index as needed.
Personally, I see a huge configuration file as confusing and hard to manage. This is while I seperated it.
But, I do want to know: Is this wrong? Should I just stick it all in one file?