New to Logstash Filter Config file questions

fastxl · September 10, 2019, 8:05pm

I am new to ELK and trying to learn. I have setup a "Lab" that has my pfSense firewall sending logs to Logstash. The "how-tos" I followed for this had me create 4 different files, 01-inputs.conf, 10-syslog.conf, 11-pfsense.conf and 30-outputs.conf. I would like to add winlogbeats to my config so I added the beats to my 01-input.conf.

#tcp syslog stream via 5140
input {
  tcp {
    type => "syslog"
    port => 5140
  }
}
#udp syslogs stream via 5140
input {
  udp {
    type => "syslog"
    port => 5140
  }
}
#beats 5044
input {
  beats {
    port => 5044
    tags => ["winlogbeat"]
  }
}

Do I create another file (say called 11-winlogbeats.conf) for my filter for winlogbeats? I see in most of the winlogbeat "how-tos" that the config is all in one file. I guess I am a little lost on the different files for each config.

Badger · September 10, 2019, 9:20pm

If you point path.config to a directory (or a wild card filename) logstash concatenates all of the files into a single configuration. How you divide your configuration across different files is really a matter of personal taste.

system · October 8, 2019, 9:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.