We are currently using Winlogbeat to directly ship Windows Server logs to Elasticsearch, but to accommodate multiple dev environments with same server names, we will be moving to Logstash as it can do additional tagging depending on incoming IP address etc.
When using Winlogbeat it was easy to specify what logs go to what index for example all logs by default go to: winlogbeat-site1-dev-date, but Active Directory related logs go to different AD index in Elastic (winlogbeat- site1-dev-ad-date). This is how winlogbeat configuration would look like:
index: "winlogbeat- site1-dev-%{+yyyy.MM}"
indices:
- index: "winlogbeat- site1-dev-ad-%{+yyyy.MM}"
when.or:
- equals:
log_name: "Directory Service"
- equals:
log_name: "Active Directory Web Services"
With Logstash this would have to be done on Logstash side, but I can't seem to figure out how I would filter multiple logs to go to single index depending on their log_name variable at output level or do I need to have a filter that adds some kind of index_name variable to entry that is later used with Elasticsearch output plugin in Logstash? Any recommendations would be much appreciated!