I am seeking advice regarding getting multiple syslog devices into logstash/elasticsearch.
I currently send syslog messages from multiple devices to a central rsyslog server on port
514. Because the messages are coming from different devices, different vendors, the message structure is different. I currently forward all messages from rsyslog to logstash on port 10514, using the
My question is where/how should i best filter these messages before sending them from logstash to elasticsearch.
- Does it make sense to use conditionals in my logatash filter based off the syslog
[program]field and add a
tag, then use another conditional in my logstash output to create an index for each syslog type/tag?
- Am i correct in thinking all different types of input, should have its own output index?
- Does it make sense to somehow do some filtering on the rsyslog side, and add some kind of tagging fields there in the message before sending it to logstash?
This is my architecture currently.