Logstash best practices for multiple sources

fropa · May 2, 2022, 8:43am

Hi folks,

I'm starting to use ELK, I've multiple source servers, some of them have also multiple logs to send.

Now I'm trying to set up logstash sample configuration to just receive and send logs to the elasticsearch

I've the configuration :

input {
beats {
port => 5044
}
}

output {

#X.X.X.X- nginx
if "nginx-40.126" in [tags] {
elasticsearch {
hosts => ["https://127.0.0.1:9200"]
user => "elastic"
password => "xxx.."
cacert => "/etc/logstash/certs/ca.cer"
index => "nginx-X.1"
}
}

#X.X.X.2 tomcat
if "tomcat-40.10" in [tags] {
elasticsearch {
hosts => ["https://127.0.0.1:9200"]
user => "elastic"
password => "xxx.."
cacert => "/etc/logstash/certs/ca.cer"
index => "tomcat-X.2"
}
}
}

and the configuration works, but I need to know if I can set up the connection to elasticsearch once and use it every time I need it. Or is that the best way to set up probably more than 100 sources? I mean config every log separately.

Badger · May 2, 2022, 4:27pm

Use conditionals in the filter section to set the index name and then use a sprintf reference in the Elasticsearch output. There is an example here. Note that the index option is ignored if ILM is enabled, which is on by default in recent versions.

system · May 30, 2022, 4:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple output options in logstash.conf Logstash	9	7242	January 27, 2021
How to create multiple indexs with multiple input in logstash Logstash	8	2881	March 19, 2021
Best configuration for analysing multiple servers Elasticsearch	6	3920	July 6, 2017
Multiple input and multiple output Logstash	5	284	April 24, 2019
How to improve Logstash configuration for outputs Logstash	2	208	April 29, 2022

Logstash best practices for multiple sources

Related Topics