Logstash configuration: for journalbeat from multiple servers

K_B1 · July 15, 2019, 9:23am

Hi there, I've been trying to collect logs, using journalbeat from multiple servers onto a single logstash server. I already have winlogbeat on my windows server which is using 5044, hence other servers with journalbeat are on 5045. It throws following error:

Error: Cannot assign requested address
Exception: Java::JavaNet::BindException

here is my logstash conf file. I don't understand how do I differentiate these logs/indices between server1 & server2.
@magnusbaeck could you please suggest

input {

beats {
     port => "5044"
     tags => ["windows-server"]
}
  beats {
     port => "5045"
     tags => ["server1"]
}
  beats {
     port => "5045"
     tags => ["server2"]
}

}

output {

 if "windows-server" in [tags] {
                elasticsearch {
                        hosts => ["ip of elasticsearch:9200"]
                        manage_template => false
                        index => "windowslogs-%{+YYYY.MM.dd}"
                        user => "elastic"
                        password => "password"
                 }
}
    if "server1" in [tags] {
                elasticsearch {
                        hosts => ["ip of elasticsearch:9200"]
                        manage_template => false
                        index => "server1logs-%{+YYYY.MM.dd}"
                        user => "elastic"
                        password => "password"
                 }
}

    if "sever2" in [tags] {
                elasticsearch {
                        hosts => ["ip of elasticsearch:9200"]
                        manage_template => false
                        index => "server2logs-%{+YYYY.MM.dd}"
                        user => "elastic"
                        password => "password"
                 }
}

}

Badger · July 15, 2019, 2:40pm

You cannot have two beats inputs listening on the same port (5045). The beats will add fields to the events that identify which host they are coming from.

K_B1 · July 15, 2019, 2:53pm

Is it possible then to filter by hosts but on the same port? I might need to add more servers to this configuration. Or (Directing to different ports would only help?) what could be a better solution to this? please suggest.

Badger · July 15, 2019, 3:00pm

You could use a different port for each source server and add tags to differentiate them, but there is no need to do that because the beats add fields that differentiate them.

K_B1 · July 16, 2019, 6:00am

Thanks for your prompt response:
Could you please give an example for my better understanding.

In journalbeat, I've put _SYSLOG_IDENTIFIER in include matches section

Topic		Replies	Views
Multiple beats 1 input port with multiple index output Logstash	8	1846	April 5, 2019
Logstash is not connecting on muliple port for different beats Logstash	12	713	September 28, 2018
Logstash from multiple beats server Logstash	2	209	February 16, 2023
Multiple filebeat servers to configure single logstash Logstash	6	1066	December 26, 2019
Mutiple filebeat servers to Single logstash server Logstash	4	850	February 10, 2020

Logstash configuration: for journalbeat from multiple servers

Related topics