I'm in the process of planning an ELK setup to have a central log collection and monitoring system. I've got a few Linux clusters, firewalls and Microsoft Windows servers I would like to collect logs from.
- Firewall can forward syslog messages UDP/TCP
- Linux can do the same
- Windows would use Snare agent to forward syslog messages too
On the logstash side I would use a tcp/udp input to receive and handle the messages. Only question I have now:
Would I have to receive each event source type of message on a different port (for example)? As the format of the firewall, the linux system and the microsoft machines will be completely different, and parsing will therefore be completely different!
Or does logstash offer a way define different parsings in one configuration, and logstash tries to match each defined, until one matches or none are left? (I don't know if that were efficient though,...)...
Or what is the "usual" approach? That's easy with log files,...but most of what I want to collect will be using a tcp stream,..