Logstash with multiple inputs

red888 · March 20, 2017, 10:59pm

I have beats shipping syslog and nxlog shipping iis logs to logstash.

So I have this in my logstash config:
input {
beats {
port => "3333"
}
tcp {
type => "iis"
port => "5555"
}
}

and for output:
output {
if [type] == "syslog" {
elasticsearch {
hosts => "mycluster"
index => "logstash-syslog-%{+YYYY-MM-dd}"
}
} else if [type] == "iis" {
elasticsearch {
hosts => "mycluster"
index => "logstash-iis-%{+YYYY-MM-dd}"
}
} else {
elasticsearch {
hosts => "mycluster"
index => "uncategorized"
}
}
}

And this is my beats config for shipping syslogs:
filebeat:
prospectors:
-
paths:
- /var/log/messages
- /var/log/audit/audit.log
document_type: syslog #"type" that is read by logstash
output:
logstash:
hosts: ["myserver:3333"]

But my syslog logs are getting dumped in the iis index. Why is this happening? If their coming from a beats clients why are they getting into the tcp input?

magnusbaeck · March 21, 2017, 6:13am

Please show an example of such an event. Copy/paste from the JSON tab of Kibana's Discover panel. No screenshots please.

red888 · March 22, 2017, 12:44am

sorry this was a problem with my client config. It was point to the wrong port- my fault!

system · April 19, 2017, 12:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Receive multiple Logstash inputs with TCP, UDP and Beats Beats filebeat	7	3439	November 15, 2021
Filebeat -> Logstash -> ElasticSearch with multiple outputs Elasticsearch	7	650	April 19, 2021
Syslog beats separate output Logstash	10	2415	July 3, 2017
Configuring logstash-input-syslog Logstash	5	9429	June 1, 2018
Please help. I'm not getting how to input IIS logs Logstash	10	5155	July 6, 2017

Logstash with multiple inputs

Related topics