So I've configured an ELK stack. Initially, I configured my logging to use json format and used filebeat to send to logstash. Once I got that working, I wanted to start collecting system metrics so I disabled the filebeat configuration and created a topbeat one.
I'm not curious, how can I combine these two using a single beats input in logstash? I've been reading up on conditionals and was thinking of setting conditionals on document_type but I don't see that option in topbeat.
Ideally, I would like to configure a single port to be used and not have multiple logstash configs (with multiple ports open).
I'm wondering if setting a conditional on type would be advised?
Configuration
input {
beats {
host => "x.x.x.x"
port => 5000
}
}
output {
if [type] == "system" or [type] == "filesystem" or [type] == "process" {
elasticsearch {
hosts => ["x.x.x.x:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
template_name => "topbeat"
template => "/etc/logstash/mappings/topbeat.json"
}
}
if [document_type] == "nginx-access" {
do something here
}
}
system, filesystem and process were the only fields I could see would be unique in conjunction with whatever my application logs would be sending. I'm setting the document_type in Filebeat but I don't see this option in Topbeat.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.