Hello all,
We are working on the implementation of an ELK stack with beats. The general scenario is that we are going to have 1 centralised server for all of the ELK components(Elastic, Logstash, Kibana) and then install beats(file and audit) on each host and ship the logs to the centralised server.
So far(with 4 working examples) on the main configuration file of Logstash we are using conditionals(if-else) to grab the hostname of the Server and then use different grok patterns as well as ship each servers' logs to a different index.
While reading my way, I found out this excellent blogpost about multiple pipelines and how they can solve the mess of having multiple conditionals: https://www.elastic.co/blog/logstash-multiple-pipelines
The thing is that this blog has an example of inputs of a different kind.
So I was wondering if the implementation of multiple pipelines can help with our scenario because we would still need a way to check for the hostname of the server sending the data, which in my mind It would still be an IF statement on the .cfg file(assuming we use multiple pipelines).
If anybody has a suggestion or some opinion on this it would be much appreciated. Thank you!