HI ,
I have set a wazuh ids server and a elk server a part... No problem with logstash and filebeat, no problem with kibana dashboard, but I have in logstash a config for parse filebeat wazuh log... and now I want to add multi filebeat index so as:
- nginx
- apache2
- mysql
- system
my logstash config for filebeat (wazuh log):
Wazuh - Logstash configuration file
Remote Wazuh Manager - Filebeat input
input {
beats {
port => 5000
codec => "json_lines"
}
}
filter {
geoip {
source => "srcip"
target => "GeoLocation"
fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "wazuh-alerts-%{+YYYY.MM.dd}"
document_type => "wazuh"
template => "/etc/logstash/wazuh-elastic5-template.json"
template_name => "wazuh"
template_overwrite => true
}
}
and now I want to send to logstash filebeat modules apache, nginx, but how do that? Do I need to configure different logstash input beat with different index and document_type or I can do all in one config file?
I need to parse log apache, and nginx -> need grok?