Hi! Is it possible to specify multiple inputs in Graylog 2.4.6 but using only 1 IP and PORT?
Let’s say I have a logstash that has 20 inputs from different systems, this logstash’s adress is: logstash.example and port 5044. Every log has a field called “tags” where the systems (source) name is stored.
Would it be possible to create 20 inputs in graylog, all on logstash.example:5044 but all ingesting different logs depending on field: tags? Reasoning behind it would be : every system needs it’s own specific extractors so having everything piled up in a single INPUT can lead to a disaster.
You can’t have 20 Inputs on the same PORT as this is not possible from OS architekture level - only one service can listen on the same port at a time.
But if you have a field that makes it possible to identify the type of log and what extraction is needed, you can just ingest everything into Graylog and use the processing pipelines to run the extractors only on the messages where it is needed.
Then either, as Jan said, you will need to let your extractors trigger on specific content that applies to each unique source. Or you will need to have multiple inputs running on different ports.