Syslog + Beats

Elastic Stack Logstash
1

Hello guys,

I'm currently configuring my ELK cluster to receive syslog from ESXi and Winlogbeats events from Windows.

On input file, i got:

input {
  udp {
    port => 3514
    type => "syslog"
      }
  beats {
    port => 5044
	type => "wineventlog"
  }
}

And output file:
output {
if [type] == "wineventlog" {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
else {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "syslog-%{+YYYY.MM.dd}"
}
}
stdout { codec => rubydebug }

}

Is it correct to got 2 different index?
Is there a better way?

Thanks in advance for your help.

2

You could use different index series, but it's not necessary and as you add more kinds of logs you'll quickly end up with many indexes. Each shard of an index has a fixed memory overhead so you don't want too many of them.

I don't recommend using [@metadata][beat] as part of the index name you won't have control over which index series are created, plus a misconfiguration could cause a big mess.

3

Thanks a lot for your help!
so, this output is enough?
output {
elasticsearch {
hosts => ["http://localhost:9200"]
}
stdout { codec => rubydebug }

}

Do I have to configure the "type" in the input?

Thanks in advance.

4

Using a different index does keep data structure clean though. You can put things into different indices, just shard accordingly - ie don't use 5 shards, start with 1!

5

Do I have to configure the "type" in the input?

Yes, that'a a good idea nevertheless.