Logstash YML config, how it works?

Hey guys,

Im newbie with ELK stack but i have some questions.
I want to understand how does logstash works. I have a configuration inside conf.d for all my win servers. The clients of elk are win server that has winlogbeat.

`input {
beats {
port => 5044

ssl => true

ssl_certificate => "/etc/pki/tls/certs/logstash.crt"

ssl_key => "/etc/pki/tls/private/logstash.key"


filter {
if [type] == "syslog" {
grok {
match => {
"message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}"
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]

output {
elasticsearch {
hosts => "localhost:9200"
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"

  1. How Logstash knows to which configuration (yml) does it send it to?

  2. When I send logs from my win server to the elk stack, I get many small shards that make my elk oom. How can i fix that? Should I change that in my winlogbeat or is a misconfig in the ELK server?

  3. Does anyone has any configuration that might work good so i can see, and understand the code?

Thank for the help guys! :raised_hands::raised_hands::raised_hands:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.