Logstash forwarder with multiple log source types


I have two log types I am trying to forward using the forwarder. One is a plain log and the other is a json fie. I need to be able to have ELK parse them differently but can not figure out how. For the json file, on the ELK server if i have the below it works great, but then the plain log file dies. the key t this working is the codec json part.

input {
lumberjack {
port => 5001
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
codec => json

You could use a json filter that you enable selectively if the event looks like a JSON object.

filter {
  if [message] =~ /^\{/ {
    json {
      source => "message"