I've got two Logstash configuration files that each specify a different location for log files and then define the index for said log files.
The first:
input {
file {
path => "/elk/nmap/results/puppetserver/full/*"
start_position => "beginning"
sincedb_path => "/elk/nmap/sincedb/puppetserver"
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "puppetserver"
}
}
Second:
input {
file {
path => "/elk/nmap/results/saltmaster/full/*"
start_position => "beginning"
sincedb_path => "/elk/nmap/sincedb/saltmaster"
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "saltmaster"
}
}
For some reason, when I put logs into the puppetserver folder
/elk/nmap/results/puppetserver/full/
they get added to both indexes, and I can't figure out why. Any ideas?
Secondary question: nothing is being written to the sincedb files, so every time I restart logstash to add a new index, it re-adds all of the content again. File permissions are world write-able and read-able (I know those permissions are a bad idea, but I set them just for testing).