Separate Indexes Per Log File From Two Different Servers (Filebeat -> Logstash - > Elastic -> Kibana)

Elastic Stack Logstash
1

I have two servers configured with Filebeat to send logs to Logstash which is working properly. I would now like to view each of those logs separately under their respective indexes within Kibana Discover but I am struggling to get it working. Data for both servers is not being separated and is appearing in both indexes.
Filebeat + Logstash config below:

Server #1:
/etc/filebeat/filebeat.yml

filebeat.inputs:
- type: log
  paths:
    - /var/log/nginx/*.log
  exclude_files: ['\.gz$']

  processors:
    - add_fields:
        target: ''
        fields:
          server: 'server1'

output.logstash:
  hosts: ["elasticserver:5400"]
  ssl.certificate_authorities: ["/etc/elk-certs/elk-ssl.crt"]
  ssl.certificate: "/etc/elk-certs/elk-ssl.crt"
  ssl.key: "/etc/elk-certs/elk-ssl.key"

/etc/logstash/conf.d/logstash-server1.conf

input {
    beats {
        port => 5400
        ssl => true
        ssl_certificate_authorities => ["/etc/elk-certs/elk-ssl.crt"]
        ssl_certificate => "/etc/elk-certs/elk-ssl.crt"
        ssl_key => "/etc/elk-certs/elk-ssl.key"
        ssl_verify_mode => "force_peer"
    }
}

filter {
 grok {
   match => [ "message" , "%{IPORHOST:clientip} - %{USER:user} - \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{NUMBER:loadtime} %{QS:referrer} %{QS:agent} \"-\""]
   overwrite => [ "message" ]
 }
}

output {
 elasticsearch {
   hosts => ["localhost:9200"]
   index => "weblogs-%{+YYYY.MM.dd}"
   user => "logstash_internal"
   password => "my_password"
   document_type => "nginx_logs"
 }
 stdout { codec => rubydebug }
}

Server #2:
/etc/filebeat/filebeat.yml

filebeat.inputs:
- type: log
  paths:
    - /var/www/laravel/storage/logs/laravel.log
  fields:
    document_type: laravel_logs

output.logstash:
  hosts: ["elasticserver:5444"]
  ssl.certificate_authorities: ["/etc/elk-certs/elk-ssl.crt"]
  ssl.certificate: "/etc/elk-certs/elk-ssl.crt"
  ssl.key: "/etc/elk-certs/elk-ssl.key"

Filebeat log file sample:

2021-09-27T17:12:11.774Z INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cgroup":{"cpuacct":{"total":{"ns":12740766}},"memory":{"mem":{"usage":{"bytes":4096}}}},"cpu":{"system":{"ticks":220,"time":{"ms":4}},"total":{"ticks":720,"time":{"ms":12},"value":720},"user":{"ticks":500,"time":{"ms":8}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":11},"info":{"ephemeral_id":"d069173c-0430-49ff-8054-b7ac7ed0336b","uptime":{"ms":1590092},"version":"7.15.0"},"memstats":{"gc_next":19401488,"memory_alloc":9722072,"memory_total":88706744,"rss":111407104},"runtime":{"goroutines":24}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":0.31,"15":0.3,"5":0.31,"norm":{"1":0.155,"15":0.15,"5":0.155}}}}}}

/etc/logstash/conf.d/logstash-server2.conf

input {
    beats {
        port => 5444
        ssl => true
        ssl_certificate_authorities => ["/etc/elk-certs/elk-ssl.crt"]
        ssl_certificate => "/etc/elk-certs/elk-ssl.crt"
        ssl_key => "/etc/elk-certs/elk-ssl.key"
        ssl_verify_mode => "force_peer"
    }
}

filter {
  if [fields][document_type] == "laravel_logs" {
     grok {
       match => [ "message" , "\[%{TIMESTAMP_ISO8601:timestamp}\] (?<system>[\w\.]*): %{WORD:clickid} - %{GREEDYDATA:message}"]
       overwrite => [ "message" ]
     }
    }
}

output {
 elasticsearch {
   hosts => ["localhost:9200"]
   index => "laravel-logs-%{+YYYY.MM.dd}"
   user => "logstash_internal"
   password => "my_password"
   document_type => "laravel_logs"
 }
 stdout { codec => rubydebug }
}

When in Kibana Discover and looking at my different indexes (weblogs-* and laravel-logs-*), I get data in both of those indexes but server1 data appears in both indexes when I only want server1 to index to weblogs- and server2 to index to laravel-logs-

Screenshot 2021-09-27 at 13.22.49
Screenshot 2021-09-27 at 13.22.49658×544 23.1 KB

Can someone please explain to me where I am going wrong and how to resolve this?

Many thanks,
milo

2

How are you running logstash? Are you using multiple pipelines with the pipelines.yml file?

3

Thanks for your reply @leandrojmp

I'm not sure if I am making use of pipelines or not, I'm assuming not because of the screenshots below, but I have included a copy of the pipelines.yml config for reference. How can I tell?

Screenshot 2021-09-27 at 14.10.42
Screenshot 2021-09-27 at 14.10.423358×130 269 KB

Screenshot 2021-09-27 at 14.09.32
Screenshot 2021-09-27 at 14.09.321098×190 103 KB

4

Are you starting logstash as a service?

If so, with the current configuration of the pipelines.yml you do not have two pipelines, you have just one pipeline as logstash is merging both files.

Since you do not have any filter in your output, all the events will be written in both index.

To have independent pipelines you need to change your pipelines.yml

- pipeline.id: server1
  path.config: "/etc/logstash/conf.d/logstash-server1.conf"

- pipeline.id: server2
  path.config: "/etc/logstash/conf.d/logstash-server2.conf"
5

Yes I am.

That makes sense thank you! I managed to configure the pipelines.yml file with two pipelines as suggested. Is there specific config within Kibana required to view the individual pipelines or will my existing config as above be fine?

I'll tinker around in the meantime to see if I can figure out how to see the two logs files by themselves.

6

Ok it's working as expected, thanks again @leandrojmp

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.