Send different input to the graylog using filebeats

bruleeyo · August 4, 2023, 4:10am

I want to send 3 input to the graylog using filebeats, which are: auth.log, access.log, and error.log. and i want to differentiate them into 3 output in graylog, with 3 different port ( i have 1 server graylog). so i have 3 different input in graylog. i have tried this configuration but it doesnt appear any logs:

filebeat.yml

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /path/auth.log
    fields:
      log_type: auth_logs
    fields_under_root: true

  - type: log
    enabled: true
    paths:
      - /path/access.log
    fields:
      log_type: access_logs
    fields_under_root: true

  - type: log
    enabled: true
    paths:
      - /path/error.log
    fields:
      log_type: error_logs
    fields_under_root: true

output:
  if:
    equals:
      log_type: "auth_logs"
  logstash:
    host: graylog_server_ip
    port: 12201

  else if:
    equals:
      log_type: "access_logs"
  logstash:
    host: graylog_server_ip
    port: 12202

  else if:
    equals:
      log_type: "error_logs"
  logstash:
    host: graylog_server_ip
    port: 12203

  else:
    logstash:
      host: graylog_server_ip
      port: 12204

in graylog inputs, i tried to used gelf tcp and beats but both not works. i think the problem is in the output, but i dont know how. please help

Joel_Duffield · August 4, 2023, 4:22pm

Beats is the input type you will want to use, by why are you wanting to send them in seperately, you can just use pipelines to route them once they are in graylog even on the same input?

bruleeyo · August 7, 2023, 6:14am

i want to differentiate those logs (in the input graylog), so it would be clearer information. does using pipelines can separate the input logs in graylog?

Joel_Duffield · August 10, 2023, 11:57am

Ya absolutly! The regular way to do it would be to send them all through one input, and then use a pipeline with route_to_stream and using the when section of the pipeline to filter the messages you want routed to that location.

Something like
When
$message.source == “8.8.8.8”
Then
Route_to_stream(name: “my stream”, remove_from_default: true);
End

But you can use any supported function in the when section to select the messages.

system · August 24, 2023, 11:57am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple log types via filebeats to Graylog Graylog Central (peer support) pipeline-rules , route-to-streampl	4	2633	September 11, 2018
Filebeat configuration Graylog Central (peer support) sidecar , filebeat-linux	46	49641	July 2, 2018
Not able to send logs from filebeat to graylog Graylog Central (peer support)	7	3201	July 30, 2020
Send logs from one filebeat to two graylog instances Graylog Central (peer support)	6	2639	March 4, 2021
Filebeats creation for different input file Graylog Central (peer support)	5	2084	July 7, 2017

Send different input to the graylog using filebeats

Related Topics