We have multiple ELK environments (dev, test etc) and have observed recently that the forwarder is sending messages to multiple environments.
In all environments, the forwarder config looks like this:
The network section covers network configuration
"servers": [ "host123.domain.com:5043" ], #"ssl key": "./logstash-forwarder.key", # The path to your trusted ssl CA file. This is used # to authenticate your downstream server. "ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt", "timeout": 15
An /etc/hosts entry maps the host123 to the appropriate IP in each environment. Is there a way to enable verbosity in the forwarder logs to see why it is sending to multiple servers ?