I have setup winlogbeat to forward windows events to logstash.
I am quite new to ELK / Beats, but finding it quite intuitive and well documented - really enjoying it all.
Problem - my data was not getting indexed as I would have expected. So, would like to point out my setup to see where I was wrong.
winlogbeat client - pretty standard configuration to forward to logstash
logstash input - attempt to set the type so i can act on that in my output (it was suggested i not use codec=>"json" as it is reported as plain-text, that's a separate issue)
input {
beats {
port => "9999"
**type => "wincli-log"**
codec => "json"
}
}
logstash output - the first condition is not met, so, the 'else' is used for this one. i see in the raw client logs "type":"wineventlog" which indeed is the reported type when it gets to logstash - but why wouldn't my input type override this? how would I go about conditionally routing inputs from various systems (say i wanted to listen on 10 ports for 10 subnets to divide up my indexing)?
} else if [type] == "wincli-log" {
elasticsearch {
hosts => ["logstashserver.company.com:9209"]
index => "journal-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug { metadata => true } }
} else {
elasticsearch {
hosts => ["logstashserver.company.com:9209"]
index => "journal-cord"
}
}
}