I have beats shipping syslog and nxlog shipping iis logs to logstash.
So I have this in my logstash config:
input {
beats {
port => "3333"
}
tcp {
type => "iis"
port => "5555"
}
}
and for output:
output {
if [type] == "syslog" {
elasticsearch {
hosts => "mycluster"
index => "logstash-syslog-%{+YYYY-MM-dd}"
}
} else if [type] == "iis" {
elasticsearch {
hosts => "mycluster"
index => "logstash-iis-%{+YYYY-MM-dd}"
}
} else {
elasticsearch {
hosts => "mycluster"
index => "uncategorized"
}
}
}
And this is my beats config for shipping syslogs:
filebeat:
prospectors:
-
paths:
- /var/log/messages
- /var/log/audit/audit.log
document_type: syslog #"type" that is read by logstash
output:
logstash:
hosts: ["myserver:3333"]
But my syslog logs are getting dumped in the iis index. Why is this happening? If their coming from a beats clients why are they getting into the tcp input?