Logstash configuration: for journalbeat from multiple servers

Elastic Stack Logstash
1

Hi there, I've been trying to collect logs, using journalbeat from multiple servers onto a single logstash server. I already have winlogbeat on my windows server which is using 5044, hence other servers with journalbeat are on 5045. It throws following error:

Error: Cannot assign requested address
Exception: Java::JavaNet::BindException

here is my logstash conf file. I don't understand how do I differentiate these logs/indices between server1 & server2.
@magnusbaeck could you please suggest

input {

beats {
     port => "5044"
     tags => ["windows-server"]
}
  beats {
     port => "5045"
     tags => ["server1"]
}
  beats {
     port => "5045"
     tags => ["server2"]
}

}

output {

 if "windows-server" in [tags] {
                elasticsearch {
                        hosts => ["ip of elasticsearch:9200"]
                        manage_template => false
                        index => "windowslogs-%{+YYYY.MM.dd}"
                        user => "elastic"
                        password => "password"
                 }
}
    if "server1" in [tags] {
                elasticsearch {
                        hosts => ["ip of elasticsearch:9200"]
                        manage_template => false
                        index => "server1logs-%{+YYYY.MM.dd}"
                        user => "elastic"
                        password => "password"
                 }
}

    if "sever2" in [tags] {
                elasticsearch {
                        hosts => ["ip of elasticsearch:9200"]
                        manage_template => false
                        index => "server2logs-%{+YYYY.MM.dd}"
                        user => "elastic"
                        password => "password"
                 }
}

}
2

You cannot have two beats inputs listening on the same port (5045). The beats will add fields to the events that identify which host they are coming from.

1 Like
3

Is it possible then to filter by hosts but on the same port? I might need to add more servers to this configuration. Or (Directing to different ports would only help?) what could be a better solution to this? please suggest.

4

You could use a different port for each source server and add tags to differentiate them, but there is no need to do that because the beats add fields that differentiate them.

1 Like
5

Thanks for your prompt response::slightly_smiling_face:
Could you please give an example for my better understanding.

In journalbeat, I've put _SYSLOG_IDENTIFIER in include matches section

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.