Hi,
We just started to work with logstash recently and i have a few questions about beats config files.
We currently have 2 configuration files on our logstash - one for filebeat and another one for winlogbeat .
Each config file configured to listen on different port (5044/5045) and configured to write to different index in elasticsearch.
It seems that every message is being processed by these two config files and all the messages, both from winlogbeat and filebeat, are being written to these 2 indices.
should it work this way? When logstash gets messages from beats application it's processing it in all the config files with beats input logstash has?
Our logstash version is 2.3.1 and these are the config files:
config1(winglogbeat):
input {
beats {
port => 5044
}
}
filter {
if [type] == "wineventlog" and [source_name] != "Test" {
drop { }
}
}
output {
elasticsearch {
hosts => "SERVER_IP"
manage_template => false
index => "winlogbeat-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
config2(filesbeat):
input {
beats {
port => 5045
}
}
filter {
grok {
match => { "message" => "%{DATESTAMP:date} %{WORD:timezone}] %{GREEDYDATA:data}" }
}
date {
match => [ "date", "MM/dd/YY HH:mm:ss:SSS" ]
}
}
output {
elasticsearch {
hosts => "SERVER_IP"
manage_template => false
index => "filebeat-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
Thanks a lot!
