Logstash best practices for multiple sources

fropa · May 2, 2022, 8:43am

Hi folks,

I'm starting to use ELK, I've multiple source servers, some of them have also multiple logs to send.

Now I'm trying to set up logstash sample configuration to just receive and send logs to the elasticsearch

I've the configuration :

input {
beats {
port => 5044
}
}

output {

#X.X.X.X- nginx
if "nginx-40.126" in [tags] {
elasticsearch {
hosts => ["https://127.0.0.1:9200"]
user => "elastic"
password => "xxx.."
cacert => "/etc/logstash/certs/ca.cer"
index => "nginx-X.1"
}
}

#X.X.X.2 tomcat
if "tomcat-40.10" in [tags] {
elasticsearch {
hosts => ["https://127.0.0.1:9200"]
user => "elastic"
password => "xxx.."
cacert => "/etc/logstash/certs/ca.cer"
index => "tomcat-X.2"
}
}
}

and the configuration works, but I need to know if I can set up the connection to elasticsearch once and use it every time I need it. Or is that the best way to set up probably more than 100 sources? I mean config every log separately.

Badger · May 2, 2022, 4:27pm

Use conditionals in the filter section to set the index name and then use a sprintf reference in the Elasticsearch output. There is an example here. Note that the index option is ignored if ILM is enabled, which is on by default in recent versions.

system · May 30, 2022, 4:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple output options in logstash.conf Logstash	9	7413	January 27, 2021
Have couple questions about Logstash configuration Logstash	27	5996	July 6, 2017
Elasticsearch-Logstash Mapping Elasticsearch	1	417	February 19, 2019
How to create multiple indexs with multiple input in logstash Logstash	8	2912	March 19, 2021
Logstash configuration with several sources Logstash	1	348	November 14, 2018

Logstash best practices for multiple sources

Related topics