[graylog2] Filebeat Collector-Sidecar with multiple tags sends only to one graylog input

[j . wagner]

Hi,

we recently updated our graylog server to version 2.1. Now we want to use 
filebeat instead of Nxlog but I'm having trouble with the collector 
configuration. Using Nxlog i created various GELF TCP inputs and therefore 
suitable collector configurations. In every collector configuration i 
created an NXLog GELF TCP output with the ip address of the graylog server 
and the specific port of the previously created input. On the client i 
configure the collector_sidecar configuration file with needed tags. All 
logfiles i configured get to the specific inputs. I can also see this in 
the generated nxlog.yml

When I do the same procedure with Beat Outputs the log messages are 
transferred to only one input. I also can see this in the generated 
filebeat.yml (in the nxlog.yml there is an output for every input on a 
different port):

filebeat:
  prospectors:
  - document_type: log
    fields:
      gl2_source_collector: c12f71d9-98a7-451e-a5a9-d29a7b6fcbf9
    ignore_older: 0
    input_type: log
    paths:
    - /var/log/auth.log
    scan_frequency: 10s
    tail_files: true
  - document_type: log
    fields:
      gl2_source_collector: c12f71d9-98a7-451e-a5a9-d29a7b6fcbf9
    ignore_older: 0
    input_type: log
    multiline:
      match: after
      negate: false
      pattern: '''^[0-9]{2}-[A-Z][a-z]{1,3}.*Error'''
    paths:
    - /var/log/bacula/bacula.log
    scan_frequency: 10s
    tail_files: true
  - document_type: log
    fields:
      gl2_source_collector: c12f71d9-98a7-451e-a5a9-d29a7b6fcbf9
    ignore_older: 0
    input_type: log
    paths:
    - /var/log/syslog
    scan_frequency: 10s
    tail_files: true
output:
  logstash:
    hosts:
    - xxx.xxx.xxx.xxx:12204

I also recognized that the type of the output is logstash in the 
webinterface. In my opinion it has something to be like "Beats Output" what 
i also can choose in the drop down when creating the output. It might have 
something to do with this issue:

https://github.com/Graylog2/graylog-plugin-collector/issues/16


Anyone else is experiencing this problem?

Thanks and regards,

Jan  

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/03d8a302-c5ba-43d9-88d1-648db5dfa83e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.