Syslog + Beats

matthieurobin · February 29, 2016, 8:41pm

Hello guys,

I'm currently configuring my ELK cluster to receive syslog from ESXi and Winlogbeats events from Windows.

On input file, i got:

input {
  udp {
    port => 3514
    type => "syslog"
      }
  beats {
    port => 5044
	type => "wineventlog"
  }
}

And output file:
output {
if [type] == "wineventlog" {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
else {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "syslog-%{+YYYY.MM.dd}"
}
}
stdout { codec => rubydebug }

Is it correct to got 2 different index?
Is there a better way?

Thanks in advance for your help.

magnusbaeck · February 29, 2016, 8:47pm

You could use different index series, but it's not necessary and as you add more kinds of logs you'll quickly end up with many indexes. Each shard of an index has a fixed memory overhead so you don't want too many of them.

I don't recommend using [@metadata][beat] as part of the index name you won't have control over which index series are created, plus a misconfiguration could cause a big mess.

matthieurobin · February 29, 2016, 8:54pm

Thanks a lot for your help!
so, this output is enough?
output {
elasticsearch {
hosts => ["http://localhost:9200"]
}
stdout { codec => rubydebug }

}

Do I have to configure the "type" in the input?

Thanks in advance.

warkolm · February 29, 2016, 10:17pm

Using a different index does keep data structure clean though. You can put things into different indices, just shard accordingly - ie don't use 5 shards, start with 1!

magnusbaeck · March 1, 2016, 9:17pm

Do I have to configure the "type" in the input?

Yes, that'a a good idea nevertheless.