Should I run as many instances as I have different types of logs?
No! You can only run one instance to handle different types of logs.
In the logstash configuration file, you can specific each input with different type.
Then in the filter you can use if to distinct different processing,
and also at the output you can use “if” output to different destination.
input {
file {
type => "technical"
path => "/home/technical/log"
}
file {
type => "business"
path => "/home/business/log"
}
}
filter {
if [type] == "technical" {
# processing .......
}
if [type] == "business" {
# processing .......
}
}
output {
if [type] == "technical" {
# output to gelf
}
if [type] == "business" {
# output to elasticsearch
}
}
Hope this can help you 🙂