Logstash forwarder with multiple log source types


#1

All,

I have two log types I am trying to forward using the forwarder. One is a plain log and the other is a json fie. I need to be able to have ELK parse them differently but can not figure out how. For the json file, on the ELK server if i have the below it works great, but then the plain log file dies. the key t this working is the codec json part.

input {
lumberjack {
port => 5001
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
codec => json
}


Filebeat and CentOS 5
(Magnus B├Ąck) #2

You could use a json filter that you enable selectively if the event looks like a JSON object.

filter {
  if [message] =~ /^\{/ {
    json {
      source => "message"
    }
  }
}

(system) #3