Mixed logs

Pedro_Cabral · October 16, 2018, 7:02am

Hello all,

I have the following configurations:

input {
  beats {
port => "8514"
type => "winlogbeat"
  }
}

output {
    elasticsearch {
            hosts => ["10.192.144.9:9200"]
            manage_template => false
            sniffing => true
            index => "ad-%{+YYYY.MM.dd}"
    }
}

and

input {
  beats {
    port => "8513"
    type => "winlogbeat"
   }
}
output {
        elasticsearch {
                hosts => ["10.192.144.9:9200"]
                manage_template => false
                sniffing => true
                index => "sysmon-%{+YYYY.MM.dd}"
        }
}

In kibana I have 2 different index pattern one ad-* and sysmon-* but when I see the logs I have sysmon logs with ad logs.

Can someone please tell me why this is happening and how I can fix it?
Thanks in advance for your help.

Best Regards,
Pedro Cabral

Christian_Dahlqvist · October 16, 2018, 7:15am

Logstash concatenates all configuration files in the directory, so unless you use conditionals to control the flow or define multiple pipelines, all data will go to all outputs. This has been discussed here a lot, so you should be able to search and find examples if needed.

Pedro_Cabral · October 16, 2018, 8:00am

Thank you for your reply!
Best Regards,
Pedro Cabral

system · November 13, 2018, 8:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.