Questions On Logstash Conf File

Jared9922 · August 21, 2021, 11:58pm

Hello

I was just wondering if somebody could help clear up some confusion I am having when it comes to logstash. So in my current .conf file I have the output set to elasticsearch. This is where my questions start to pop up.

Do you have to specify an index in the logstash conf file for it to be indexed into kibana correctly? In my experience I thought that this was necessary because I wasn't seeing data in kibana without it. This is how my current output section of my .conf file looks:

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "winlogbeat-7.13.2-2021.07.02-000001"
}

To view data using the winlogbeat dashboards is it necessary to specify the index.

If it is necessary to specify that index how would you pipe multiple different types of beats through the same logstash? For example if I am business that monitors logs coming from different types of computers (Windows, Macos, and Linux) does this mean I have to setup multiple different instances of logstash? Does every different type of data with a different index need to be piped through its own logstash?

These questions come from a lack of understanding with how indexes work. Any clarification would be great.

Thanks,
Jared

stephenb · August 22, 2021, 1:05am

Your when using an architecture like

Beats > Logstash > Elasticsearch

Your Logstash conf file should look like the following

################################################
# beats->logstash->es default config.
################################################
input {
  beats {
    port => 5044
  }
}

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => "http://localhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      pipeline => "%{[@metadata][pipeline]}" 
      user => "elastic"
      password => "secret"
    }
  } else {
    elasticsearch {
      hosts => "http://localhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      user => "elastic"
      password => "secret"
    }
  }
}

I also answered some additional detail about this architecture in this post

It happens to be metricbeat but it's very similar for winlogbeat

system · September 19, 2021, 1:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.