Logstash Multiple File Inputs

Elastic Stack Logstash
1

Hi,

Would appreciate a pointer with regard to using multiple file inputs.

This works:-

input {
	
	file {
		path 	=> 	[
			"//server_1/Logs/*",
			"//server_2/Logs/*",
			"//server_2/Logs/*",
			"//server_2/Logs/*",
			"//server_2/Logs/*"
		]					
	start_position 	=> "beginning"
	sincedb_path => "E:/LS/logstash-2.0.0/.sincedb"
}
} # END INPUT

I am collecting logs from different locations and processing them in a single LS config file.

The downside of this is that every LS document produced ends up with the "host" value set as the LS machine. I need the host value to be the remote machine which created the log in the first place.

Whats best practice here? Should I have multiple file inputs (one per path) and add a type for each message then do a:-

if [type] == "server_1" {
    add_field => { "host_server" => "server_1_hostname" }
}

Or is there a more efficient way? Would I need to have a .sincedb defined per file input?

Would be grateful for a steer on best practice for monitoring multiple paths, keeping the host values separate and managing .sincedb(s)

Thanks

2

Each event will have a path field with the path to the log file from which the event was read. Use a grok filter to extract the hostname from that path.

3

Thanks Magnus!
My template LS config which I tend to use for everything new contains a mutate to remove a tonne of stuff. Path was one of them. Once I let the field in I was able to grok what I needed. In fact the end result is better than ever as instead of updating the host field I just made a new 'server_name' field, so now I get both.

Thanks again - you are doing an incredible job here!