Sending data from same source for different type of beat agents to logstash

ravikt · August 13, 2018, 7:21pm

I have got these beat agents installed on a machine :

winlogbeat
metricbeat

Trying to send data to same logstash instance. Wondering, how logstash would differentiate the data from these 2 inputs and send output to elasticsearch?

NerdSec · August 14, 2018, 11:21am

Hi Ravi,

Beats adds some fields of its own as well. Have a look at

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-beat.html

ravikt · August 14, 2018, 7:50pm

So in the configuration for winlogbeat and metricbeat, I need to specify these?
eg:
for metricbeat
beat.name: metricbeat in metricbeat.yml
for winlogbeat
beat.name: winlogbeat in winlogbeat.yml

NerdSec · August 15, 2018, 3:07am

Not really. Beats does it for you.

Do you wish to send it to Logstash for any preprocessing?

In that case you can use tags in your FileBeat config.
https://www.elastic.co/guide/en/beats/filebeat/6.2/configuration-filebeat-options.html#_literal_tags_literal

As for metricbeat, that will send data directly to elasticsearch.

ravikt · August 16, 2018, 4:23pm

Yes, I want to send both metricbeat and winlogbeat to logstash.

NerdSec · August 17, 2018, 10:08am

Hi Ravi,

You can use the beat.name field to apply conditional logic and process events in Logstash.

And this is correct. You will have to specify the beat name.

ravikt · August 17, 2018, 11:54am

Thank you. I would also need logstash to send output to ES with different index for both beats.
How the configuration for logstash would like in the .conf file for input and output?

ravikt · August 20, 2018, 12:55pm

Hi Nachiket,

Could you please update on the below?

Thanks,
Ravi

NerdSec · August 20, 2018, 1:04pm

Hi Ravi,

You could use the conditional to separate the two streams.

if [beat][name] == "xyz" {
 mutate {
  add_field => { "indice" => "xyz" }
 }
}
else {
 mutate {
  add_field => {"indice" => "abc"}
 }
}

You can then use the indice field in your elasticsearch output.

ravikt · August 20, 2018, 3:21pm

Thank you Nachiket.

so the logstash.conf should look like this?
input {
beats {
port => 5044
}
}

if [beat][name] == "metricbeat" {
mutate {
add_field => { "indice" => "metricbeat" }
}
}
else {
mutate {
add_field => {"indice" => "winlogbeat"}
}
}

output {
elasticsearch {
hosts => ["172.31.1.10:9200"]
index => "metricbeat-%{+YYYY.MM.dd}"
}
}

output {
elasticsearch {
hosts => ["172.31.1.10:9200"]
index => "winlogbeat-%{+YYYY.MM.dd}"
}
}

ravikt · August 20, 2018, 6:31pm

Hi Nachiket,

I am using filter after input in logstash.conf. Does this looks good?
input {
beats {
port => 5044
}
}

filter {
if [beat][name] == "metricbeat" {
mutate {
add_field => { "indice" => "metricbeat"}
}
}
else {
mutate {
add_field => {"indice" => "winlogbeat"}
}
}
}

output {
elasticsearch {
hosts => ["172.31.1.10:9200"]
index => "metricbeat-%{+YYYY.MM.dd}"
}
}

output {
elasticsearch {
hosts => ["172.31.1.10:9200"]
index => "winlogbeat-%{+YYYY.MM.dd}"
}
}

Regards,
Ravi

NerdSec · August 21, 2018, 4:37am

This config will create a single index for both filebeat and metricbeat. Is that what was intended?

To create two indices, please use the indice variable we created in the elasticsearch output.

output {
  elasticsearch {
    hosts => ["172.31.1.10:9200"]
    index => "%{indice}-%{+YYYY.MM.dd}"
  }
}

ravikt · August 21, 2018, 6:17am

No, I need to create 2 indices, one for each beat type.

Here is my updated config:

input {
beats {
port => 5044
}
}

filter {
if [beat][name] == "metricbeat" {
mutate {
add_field => { "indice" => "metricbeat"}
}
}
else {
mutate {
add_field => {"indice" => "winlogbeat"}
}
}
}

output {
elasticsearch {
hosts => ["172.31.1.10:9200"]
index => "%{indice}-%{+YYYY.MM.dd}"
}
}

Christian_Dahlqvist · August 21, 2018, 7:13am

As all events now contain a parameter with the index prefix, you should only have a single elasticsearch output.

ravikt · August 21, 2018, 9:36am

Hi Christian,

I want to see separate ES output for both beat types. Is this possible?

Thanks,
Ravi

Christian_Dahlqvist · August 21, 2018, 9:41am

Why? If you want that you have to put conditionals around the outputs as well in order to avoid duplicates.

ravikt · August 21, 2018, 10:44am

I am sending different types of beat data, so would like to see ES output with different index.

Christian_Dahlqvist · August 21, 2018, 10:46am

The way you have set it up now you can send data to different indices using a single output, which probably is more efficient. Why does this not work for you??

ravikt · August 21, 2018, 10:48am

I am ok if it can send data to different indices using a single output. Then my config should be like this?

input {
beats {
port => 5044
}
}

filter {
if [beat][name] == "metricbeat" {
mutate {
add_field => { "indice" => "metricbeat"}
}
}
else {
mutate {
add_field => {"indice" => "winlogbeat"}
}
}
}

output {
elasticsearch {
hosts => ["172.31.1.10:9200"]
}
}

Christian_Dahlqvist · August 21, 2018, 11:01am

Your output block should still look like this, but you only need one.