Logstash: Geoip for Internal Networks – Part 2


Continuing with logstash.  If your doing anything with TopBeat, then consider the dashboards, available here.  Using FileBeats and TopBeats to feed logstash, will effectively mean logstash receives both streams via port 5044.  In your logstash config, your may want to insert the data into different ElasticSearch index’s.  One way tot do this is to check the input type of data from Beats:

filter {

  if [type] == “system” or [type] == “filesystem” or [type] == “process”  {

    mutate {

        add_field => { “_IndexName” => “%{type}” }

    }

And then in the output section, change the index name as appropriate:

  elasticsearch {

        index => “%{_IndexName}-%{+YYYY.MM.dd}”

~ by mdavey on January 20, 2016.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: