Winlogbeat being ingested in both winlog-* and syslog-*

My Windows Event Collector has Winlogbeat 6.3 on it with it configured to ship to logstash on 5044. I have my logstash listening on both 5044(for winlogbeat) and 5514 (for syslog). My WEC doesn't have filebeat or any other syslog shipper installed on it however all that data winlogbeat data is also ending up in my syslog index. Any ideas what might be causing this and how to stop it?

If you have multiple config files for Logstash, they will get concatenated, so unless you use conditionals, data from all inputs will go to all outputs.

Ok, I have tried to use a conditional in my configs and now my logstash isn't listening on any ports:
output {
if [type] == "wineventlog" {
elasticsearch {
hosts => ["http://elk.xxxx.com:9200"]
index => "winlogbeat-%{+YYYY.MM.dd}"
}
}
if [type] == "syslog" {
elasticsearch {
hosts => [http://elk.xxxx.com:9200"
index ==> "syslog-%{+YYYY.MM.dd}"
}
}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.