Differentiating between different log types in Logstash can be achieved in various ways, depending on your choice of source.

If you are using a beat source, you can have multiple inputs sections in your configuration file to distinguish between different types of logs by setting the type: to be named differently.  

Using Filebeat to separate your log types:

Use the example code block below to help you get started.

filebeat.prospectors:

- type: logType1
  enabled: true
  ...
  fields_under_root: true

- type: logType2
  enabled: true
  ...
  fields_under_root: true

And then you can query the type in your Logstash filter:

if [type] == "logType1" {
   do something
} else if [type] == "logType2"
{
   do something else
}

Using log fields to distinguish log types

You can also query your log fields to check the log type if you have created the field in your log.  For example:

if [mylog][type] == "my-iis-logs" {
   do something
}

What's Next

  • Configure your data source to have different log types.
Did this answer your question?