With all of the different types of data that we ingest(Windows/Linus servers, firewalls, load-balancers, custom application logs, ect) how do you all organize your inputs to keep things from getting out of hand? I originally thought maybe I would open a port for each type of log file that will be sent from clients. But now that we are starting to ingest more and more I dont think that was the best choice. Since we will be moving from a virtual to a physical Elastic stack I thought it would be a good time to reevaluate how we are doing things. So any thoughts/suggestions/gotchas that you have come across would help.
I prefer letting the sources declare all necessary fields needed for identification and filtering, using different ports on the Logstash side only to differentiate between protocols. One port for Beats and one for JSON over TCP/UDP goes a long way for me. You'll probably need one for syslog too.
A Logstash configuration just like you suggested and a single Filebeat/Winlogbeat configuration to keep things as simple as possible. Thanks!!