Ksisu/filebeat.yml

## filebeat.yml
- type: log
  enabled: true
  paths:
    - /data/mssql2017/log/errorlog
  multiline:
    pattern: '^\t'
    negate: false
    match: after
  fields:
    log_type: mssql

## pipeline.conf
input {
  beats {
    port => "5044"
  }
}
filter {
  if [fields][log_type] == "mssql" {
    grok {
      match => {
        "message" => [ "%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:logsource}%{SPACE}%{GREEDYDATA:message}" ]
      }
      "overwrite" => "message"
    }
    date {
      match => [ "timestamp", ISO8601 ]
    }
  }
}
output {
  elasticsearch {
    hosts => [ "elasticsearch:9200" ]
    manage_template => false
    index => "filebeat-%{[fields][log_type]}-%{+YYYY.MM.dd}"
  }
}
	- type: log
	enabled: true
	paths:
	- /data/mssql2017/log/errorlog
	multiline:
	pattern: '^\t'
	negate: false
	match: after
	fields:
	log_type: mssql
	input {
	beats {
	port => "5044"
	}
	}
	filter {
	if [fields][log_type] == "mssql" {
	grok {
	match => {
	"message" => [ "%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:logsource}%{SPACE}%{GREEDYDATA:message}" ]
	}
	"overwrite" => "message"
	}
	date {
	match => [ "timestamp", ISO8601 ]
	}
	}
	}
	output {
	elasticsearch {
	hosts => [ "elasticsearch:9200" ]
	manage_template => false
	index => "filebeat-%{[fields][log_type]}-%{+YYYY.MM.dd}"
	}
	}