These dashboards are made to work with filebeat modules. The dashboards by default assume all data written to the filebeat index. If you translate the grok filters from the filebeat modules to logstash and have logstash write similar events to elasticsearch, the dashboards should pick up your data.
The filebeat modules source code can be found at: https://github.com/elastic/beats/tree/master/filebeat/module
For example see the mysql error log. The pipeline directory contains the ingest node pipeline definition.
As each module uses a different ingest pipeline, you might want to add some additional fields to the events (use fields setting in filebeat) for filtering in logstash. e.g.:
filebeat.prospectors:
- type: log
fields.logtype: "mysqlerror"
paths:
- /var/log/mysql/error.log*
- /var/log/mysqld.log*
exclude_files: [".gz$"]
- type: log
fields.logtype: "mysqlslow"
paths:
- /var/log/mysql/mysql-slow.log*
- /var/lib/mysql/{{.builtin.hostname}}-slow.log
exclude_files: ['.gz$']
multiline:
pattern: '^# User@Host: '
negate: true
match: after
exclude_lines: ['^[\/\w\.]+, Version: .* started with:.*'] # Exclude the header
...
I did derive the filebeat configuration, by expanding the filebeat module template by myself.
In logstash one could do the filtering/processing like:
input {
beat {
port => 5044
}
}
filter {
if [fields][logtype] == "mysqlerr" {
... # translate pipeline from https://github.com/elastic/beats/blob/master/filebeat/module/mysql/error/ingest/pipeline.json
}
if [fields][logtype] == "mysqlslow" {
... # translate pipeline from https://github.com/elastic/beats/blob/master/filebeat/module/mysql/slowlog/ingest/pipeline.json
}
}
translating pipelines can be non-trivial though (e.g. script filter using painless must be replaced with ruby filters and such). In logstash master branch I found a script doing some simple translation (not perfect, potentially incomplete): https://github.com/elastic/logstash/blob/master/bin/ingest-convert.sh
The current integration of beats modules and logstash is far from perfect. All in all we strive for full integration of modules in/with Logstash. But we're is just not there yet (I have no idea when we will be there).