Logstash with multiple inputs

red888 · March 20, 2017, 10:59pm

I have beats shipping syslog and nxlog shipping iis logs to logstash.

So I have this in my logstash config:
input {
beats {
port => "3333"
}
tcp {
type => "iis"
port => "5555"
}
}

and for output:
output {
if [type] == "syslog" {
elasticsearch {
hosts => "mycluster"
index => "logstash-syslog-%{+YYYY-MM-dd}"
}
} else if [type] == "iis" {
elasticsearch {
hosts => "mycluster"
index => "logstash-iis-%{+YYYY-MM-dd}"
}
} else {
elasticsearch {
hosts => "mycluster"
index => "uncategorized"
}
}
}

And this is my beats config for shipping syslogs:
filebeat:
prospectors:
-
paths:
- /var/log/messages
- /var/log/audit/audit.log
document_type: syslog #"type" that is read by logstash
output:
logstash:
hosts: ["myserver:3333"]

But my syslog logs are getting dumped in the iis index. Why is this happening? If their coming from a beats clients why are they getting into the tcp input?

magnusbaeck · March 21, 2017, 6:13am

Please show an example of such an event. Copy/paste from the JSON tab of Kibana's Discover panel. No screenshots please.

red888 · March 22, 2017, 12:44am

sorry this was a problem with my client config. It was point to the wrong port- my fault!

system · April 19, 2017, 12:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Receive multiple Logstash inputs with TCP, UDP and Beats Beats filebeat	7	3396	November 15, 2021
Trying to setup Logstash for Syslog input but having weird problems Logstash	6	1321	March 6, 2019
Logstash <-> Logstash using lumberjack. Beats input can not be passed through? Logstash	1	379	November 29, 2019
Logstash input data Logstash	4	170	May 28, 2024
Filebeat does not send data to logstash Beats filebeat	7	506	December 30, 2022

Logstash with multiple inputs

Related Topics