Currently have a single
input {
lumberjack {
port => 5XXXX
ssl_certificate => "/logstash.crt"
ssl_key => "/logstash.key"
codec => json
}
}
Currently however mixed types are being sent
- JSON logs (various)
- syslogs
- apache2 logs (access and error)
- nginx logs (access and error)
In 1.5.0 it has been noted that non JSON log types carry the tag: _jsonparsefailure as a result.
As noted in https://github.com/elastic/logstash/issues/3292#issuecomment-104336293 this configuration is suboptimal and slow down is expected.
As I understand it an "optimal" configuration from the logstash perspective is ot have multiple sources in the input section e.g.
port => 1234 - syslogs (no codec => json)
port => 1235 - json logs ( codec => json)
and so on.
My question here is really, it is at all possible to have a single logstash-forwarder sending multiple log types and if so what configuration is required logstash side to avoid slow down but maintain the JSON parsing?