Questions On Logstash Conf File

Jared9922 · August 21, 2021, 11:58pm

Hello

I was just wondering if somebody could help clear up some confusion I am having when it comes to logstash. So in my current .conf file I have the output set to elasticsearch. This is where my questions start to pop up.

Do you have to specify an index in the logstash conf file for it to be indexed into kibana correctly? In my experience I thought that this was necessary because I wasn't seeing data in kibana without it. This is how my current output section of my .conf file looks:

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "winlogbeat-7.13.2-2021.07.02-000001"
}

To view data using the winlogbeat dashboards is it necessary to specify the index.

If it is necessary to specify that index how would you pipe multiple different types of beats through the same logstash? For example if I am business that monitors logs coming from different types of computers (Windows, Macos, and Linux) does this mean I have to setup multiple different instances of logstash? Does every different type of data with a different index need to be piped through its own logstash?

These questions come from a lack of understanding with how indexes work. Any clarification would be great.

Thanks,
Jared

stephenb · August 22, 2021, 1:05am

Your when using an architecture like

Beats > Logstash > Elasticsearch

Your Logstash conf file should look like the following

################################################
# beats->logstash->es default config.
################################################
input {
  beats {
    port => 5044
  }
}

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => "http://localhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      pipeline => "%{[@metadata][pipeline]}" 
      user => "elastic"
      password => "secret"
    }
  } else {
    elasticsearch {
      hosts => "http://localhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      user => "elastic"
      password => "secret"
    }
  }
}

I also answered some additional detail about this architecture in this post

It happens to be metricbeat but it's very similar for winlogbeat

system · September 19, 2021, 1:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
2 indices Logstash	7	279	August 28, 2018
Several config files for beats in logstash Logstash	5	2756	July 6, 2017
Logstash with input from file and input from beats (port 5044) create two indices with the same data Logstash	3	420	August 22, 2019
Solved: Logstash Is Receiving Data From Winlogbeat But Isn't Showing In Kibana Logstash	1	527	July 21, 2021
Logstash keep logging into default index Logstash	6	1127	July 6, 2017

Questions On Logstash Conf File

Related topics