How to define split indexes for different logs in Filebeat / ELK?

Question

How to define split indexes for different logs in Filebeat / ELK?

I am wondering how to create separate indexes for different logs loaded in logstash(which were later transferred to elasticsearch), so that in kibanaI can define two indexes for them and detect them.

In my case, I have several client servers (each of which is installed with filebeat) and a centralized log server ( ELK). Each client server has different types of logs, for example. redis.log, pythonlogs, mongodblogs that I like to sort them by different indices and save to elasticsearch.

Each client server also performs various tasks, for example. Databases, user interfaces, applications. Therefore, I would also like to give them different index names (by changing the output index to filebeat.yml?).

+6

elasticsearch logstash kibana elk-stack filebeat elastic-stack

daiyue Aug 08 '16 at 13:35

source share

4 answers

logstash , :

input {
    file {
            type => "redis"
            path => "/home/redis/log"
    }
    file {
            type => "python"
            path => "/home/python/log"
    }
} 
filter {
    if [type] == "redis" {
            # processing .......
    }
    if [type] == "python" {
            # processing .......
    }
}
output {
    if [type] == "redis" {
            # output to elasticsearch redis
            index => "redis" 
    }
    if [type] == "python" {
            # output to elasticsearch python
            index => "python"
    }
}

+2

alpert 08 . '16 18:57

filebeat.yml

filebeat.prospectors:

- input_type: log
    paths:
    - /var/log/*.log
  fields: {log_type: toolsmessage}


- input_type: log
  paths:
    - /etc/httpd/logs/ssl_access_*
  fields: {log_type: toolsaccess}

in logstash.conf.

input {
  beats {
    port => "5043"
  }
}

filter {
  if ([fields][log_type] == "toolsmessage") {
    mutate {
      replace => {
        "[type]" => "toolsmessage"
      }
    }
  }
  else if ([fields][log_type] == "toolsaccess") {
    mutate {
      replace => {
        "[type]" => "toolsaccess"
      }
    }
  }
}

output {
  elasticsearch {
    hosts => ["10.111.119.211:9200"]
    index => "%{type}_index"
  }
 #stdout { codec => rubydebug }
}

+1

tyan Jan 4 '19 at 6:28

source share

I have read all of the above. Find out my way.

input {
    stdin {
    }
    jdbc {
      type => "jdbc"
      ....
    }
    http_poller {
        type=>"api"
      ....
    }

}
filter {
....
}
output {
    elasticsearch {
        hosts => ["jlkjkljljkljk"]
        index => "%{type}_index"
        document_id => "%{id}"
    }
    stdout {
        codec => json_lines
    }
}

0

rex wan Jul 9 '19 at 3:23

source share

A J · Accepted Answer · 2016-08-08T21:58:18+0000

In the Filebeat configuration, you can use document_typeto identify the various logs that you have. Then inside Logstash you can set the value of the field typeto control the target index.

, , type, . . index vs type.

Filebeat:

filebeat:
  prospectors:
    - paths:
        - /var/log/redis/*.log
      document_type: redis

    - paths:
        - /var/log/python/*.log
      document_type: python

    - paths:
        - /var/log/mongodb/*.log
      document_type: mongodb

Logstash:

input {
  beats {
    port => 5044
  }
}

output {
  # Customize elasticsearch output for Filebeat.
  if [@metadata][beat] == "filebeat" {
    elasticsearch {
      hosts => "localhost:9200"
      manage_template => false
      # Use the Filebeat document_type value for the Elasticsearch index name.
      index => "%{[@metadata][type]}-%{+YYYY.MM.dd}"
      document_type => "log"
    }
  }
}

How to define split indexes for different logs in Filebeat / ELK?

More articles: