Hi all experts,
I'm trying inject many logs from many files.
Actually, i receive all logs but in just one index.
I tried to tags, but it's not working actually, and i don't find my error.
filebeat configuration:
filebeat.inputs:
- type: log
encoding: utf-8
enabled: true
paths:
- C:/Program Files/Microsoft SQL Server/MSSQL13.MSSQLSERVER/MSSQL/Log/FDLAUNCHERRORLOG*
tags: ["FDLAUNCHERRORLOG"]
scan_frequency: 120s
- type: log
encoding: utf-8
enabled: true
paths:
- C:/Program Files/Microsoft SQL Server/MSSQL13.MSSQLSERVER/MSSQL/Log/SQLAGENT*
tags: ["SQLAGENT"]
scan_frequency: 120s
- type: log
encoding: utf-8
enabled: true
paths:
- C:/Program Files/Microsoft SQL Server/MSSQL13.MSSQLSERVER/MSSQL/Log/ERRORLOG*
tags: ["ERRORLOG"]
scan_frequency: 120s
#============================= Filebeat modules ===============================
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 1
#----------------------------- Logstash output --------------------------------
output.logstash:
enabled: true
# The Logstash hosts
hosts: ["xxx.xxx.xxx.xxx:5044"]
#================================ Processors =====================================
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
input logstash:
input {
beats {
port => 5044
tags => ["ERRORLOG","FDLAUNCHERRORLOG","SQLAGENT"]
}
}
output logstash:
output {
if "ERRORLOG" in [tags] {
elasticsearch {
hosts => ["http://sta-elasticsearch:9200"]
index => "errorlog-%{+YYYY.MM.dd}"
}
}
else if "FDLAUNCHERRORLOG" in [tags] {
elasticsearch {
hosts => ["http://sta-elasticsearch:9200"]
index => "fdlauncherrorlog-%{+YYYY.MM.dd}"
}
}
else if "SQLAGENT" in [tags] {
elasticsearch {
hosts => ["http://sta-elasticsearch:9200"]
index => "sqlagent-%{+YYYY.MM.dd}"
}
}
}
So i try to tags words like ERRORLOG or SQLAGENT, to redirect logs in thei good index.
Regards.
Jonathan
