Het @a.emrekaraman
Here is an example of my lab Logstash config.
root@ansible:/opt/logstash-8.6.1/config# cat logstash.conf
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
beats {
port => 5044
tags => [ 'beat' ]
}
}
input {
udp {
port => 5144
tags => ['syslog']
}
}
filter {
if "syslog" in [tags] {
grok {
match => ["message", "%{SYSLOG5424PRI}%{GREEDYDATA:message}"]
overwrite => [ "message" ]
}
kv {
source => "message"
value_split => "="
}
}
}
filter {
if "syslog" in [tags] {
mutate {
remove_field => [ "addr","appcat","craction","crlevel","crscore","devtype","dstdevtype","dstosname","dstserver","dstserver","fazlograte","freediskstorage","interface","log.syslog.priority","masterdstmac","mastersrcmac","osname","policytype","poluuid","setuprate","srchwvendor","srcserver","total","totalsession","used","user","vd"]
}
}
}
output {
if "beat" in [tags] {
opensearch {
hosts => ["https://my_domain.com:9200"]
auth_type => {
type => 'basic'
user => 'admin'
password => 'changeit'
}
ecs_compatibility => disabled
ssl => true
#ssl_certificate_verification => false
cacert => "/opt/logstash-8.6.1/root-ca.pem"
#index => "winlogbeat-%{+YYYY.MM.dd}"
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}
if "syslog" in [tags] {
opensearch {
hosts => ["https://my_doamin.com:9200"]
auth_type => {
type => 'basic'
user => 'admin'
password => 'changeit'
}
ecs_compatibility => disabled
ssl => true
#ssl_certificate_verification => false
cacert => "/opt/logstash-8.6.1/root-ca.pem"
index => "firewall-%{+YYYY.MM.dd}"
}
}
}
root@ansible:/opt/logstash-8.6.1/config#
I created two ports [5044, 5144] One is for my beat (i.e., Metricbeat,filebeat,winlogbeat) the other is for my firewall. Since the firewall comes in a block I used GROk to separate the log into fields.
All my beat are configured the same, you can either place a tag on individual instances or use
logstash to do in for you.
EDIT: it really depends on what you want to do. You could even use this example that comes with logstash.
root@ansible:/opt/logstash-8.6.1/config# cat logstash-sample.conf
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
#user => "elastic"
#password => "changeme"
}
}
root@ansible:/opt/logstash-8.6.1/config#