Logstash with multiple inputs

I have beats shipping syslog and nxlog shipping iis logs to logstash.

So I have this in my logstash config:
input {
beats {
port => "3333"
}
tcp {
type => "iis"
port => "5555"
}
}

and for output:
output {
if [type] == "syslog" {
elasticsearch {
hosts => "mycluster"
index => "logstash-syslog-%{+YYYY-MM-dd}"
}
} else if [type] == "iis" {
elasticsearch {
hosts => "mycluster"
index => "logstash-iis-%{+YYYY-MM-dd}"
}
} else {
elasticsearch {
hosts => "mycluster"
index => "uncategorized"
}
}
}

And this is my beats config for shipping syslogs:
filebeat:
prospectors:
-
paths:
- /var/log/messages
- /var/log/audit/audit.log
document_type: syslog #"type" that is read by logstash
output:
logstash:
hosts: ["myserver:3333"]

But my syslog logs are getting dumped in the iis index. Why is this happening? If their coming from a beats clients why are they getting into the tcp input?

Please show an example of such an event. Copy/paste from the JSON tab of Kibana's Discover panel. No screenshots please.

sorry this was a problem with my client config. It was point to the wrong port- my fault!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.