Logstash best practices for multiple sources

fropa · May 2, 2022, 8:43am

Hi folks,

I'm starting to use ELK, I've multiple source servers, some of them have also multiple logs to send.

Now I'm trying to set up logstash sample configuration to just receive and send logs to the elasticsearch

I've the configuration :

input {
beats {
port => 5044
}
}

output {

#X.X.X.X- nginx
if "nginx-40.126" in [tags] {
elasticsearch {
hosts => ["https://127.0.0.1:9200"]
user => "elastic"
password => "xxx.."
cacert => "/etc/logstash/certs/ca.cer"
index => "nginx-X.1"
}
}

#X.X.X.2 tomcat
if "tomcat-40.10" in [tags] {
elasticsearch {
hosts => ["https://127.0.0.1:9200"]
user => "elastic"
password => "xxx.."
cacert => "/etc/logstash/certs/ca.cer"
index => "tomcat-X.2"
}
}
}

and the configuration works, but I need to know if I can set up the connection to elasticsearch once and use it every time I need it. Or is that the best way to set up probably more than 100 sources? I mean config every log separately.

Badger · May 2, 2022, 4:27pm

Use conditionals in the filter section to set the index name and then use a sprintf reference in the Elasticsearch output. There is an example here. Note that the index option is ignored if ILM is enabled, which is on by default in recent versions.

system · May 30, 2022, 4:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.