Discuss the Elastic Stack

Mixed type lumberjack {} input

Elastic Stack Logstash

Oneiroi (Oneiroi) May 21, 2015, 4:30pm 1

Currently have a single

input {
    lumberjack {
        port => 5XXXX
        ssl_certificate => "/logstash.crt"
        ssl_key => "/logstash.key"
        codec => json
    }
}

Currently however mixed types are being sent

JSON logs (various)
syslogs
apache2 logs (access and error)
nginx logs (access and error)

In 1.5.0 it has been noted that non JSON log types carry the tag: _jsonparsefailure as a result.

As noted in https://github.com/elastic/logstash/issues/3292#issuecomment-104336293 this configuration is suboptimal and slow down is expected.

As I understand it an "optimal" configuration from the logstash perspective is ot have multiple sources in the input section e.g.

port => 1234 - syslogs (no codec => json)
port => 1235 - json logs ( codec => json)

and so on.

My question here is really, it is at all possible to have a single logstash-forwarder sending multiple log types and if so what configuration is required logstash side to avoid slow down but maintain the JSON parsing?

Topic		Replies	Views	Activity
Logstash forwarder with multiple log source types Logstash	2	1173	July 6, 2017
Multiple lumberjack input in single logstash instance Logstash	3	2023	July 6, 2017
Lumberjack input issues Logstash	1	538	July 6, 2017
Lumberjack input + grok and multiline Logstash	1	989	July 6, 2017
Configuration with multiple types Logstash	2	775	March 14, 2018

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.