Hi, Very new to logstash and have a use case that I want to achieve. I have two different filebeat instances that write to same logstash instance. filebeat instance 1 sends json output and also sets field as json, while other filebeat instance 2 sends plain text and sets field as plain. I have the logstash instance configured to listen to them and writes it out to syslog server:
input {
beats {
port => 5044
}
}
filter{
mutate{
add_field => ["timestamp", "%{@timestamp}"]
}
}
output {
syslog {
host => "100.100.100.100"
port => 514
protocol => "tcp"
ssl_verify => "false"
rfc => "rfc5424"
}
}
But if I understand it correctly, the default codec used for syslog output is plain. What is the recommended approach here to handle the json beats being received from filebeat instance 1?