I am currently using Filebeat to send both NGINX and Syslog towards an ELK stack, which works perfectly. Nice! Now I am trying to add OSSEC to the equation. The OSSEC files are in JSON format, while the other logs are not. This creates a problem at Logstash Input, working with two codec types on the same inbound TCP port.
I did read some comments about running two Filebeat instances. Meaning I could then use different Filebeat configs and therefore two different TCP ports to output towards Logstash. Not so much of a problem for me. The only question to a Linux newbie is how to actually run two instances in daemon mode? I am guessing that would entail copying the provided script and amending it to create a second instance? Or is there another way?
Thanks for your excellent work, this is a great help to us here!