Hi Team
Am using filebeat to collect logs (mainly syslog) from multiple NW devices belongs to multiple tenants
How can i configure logstash conf to index this to seperate indexes based on customers?
Log source x,y(syslog) should be indexed to index customer 1
logsource a,b(syslog) should be indexed to index name :customer 2
All devices are sending logs to same filebeat server
Hi @arun_k,
Here you are sample of my logstash config:
output {
if "filebeat" in [agent][type] and "org_id='oracle' comp_id='rdbms'" not in [message] {
elasticsearch {
hosts => ["https://elk01:9200"]
user => 'XXX'
password => 'XXX'
ilm_enabled => false
manage_template => false
index => "syslog-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
if "filebeat" in [agent][type] and "org_id='oracle' comp_id='rdbms'" in [message] {
elasticsearch {
hosts => ["https://elk01:9200"]
user => 'XXX'
password => 'XXX'
ilm_enabled => false
manage_template => false
index => "oracle-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
if "winlogbeat" in [agent][type] {
elasticsearch {
hosts => ["https://elk01:9200"]
user => 'XXX'
password => 'XXX'
ilm_enabled => false
manage_template => false
index => "winlog-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
stdout {
codec => rubydebug
}
You can use similar way to separate the logs.
Best Regards,
Dan
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.