# logstash/pipeline/logstash.conf
# ELK Stack 8.x -- Multi-input Logstash pipeline
# Accepts: Beats (5044), TCP JSON (5000), Syslog (5140)

input {
  # Filebeat / Metricbeat / other Beats agents
  beats {
    port => 5044
  }

  # Direct TCP JSON input (for application logging)
  tcp {
    port => 5000
    codec => json_lines
  }

  # Syslog input (RFC 3164 / RFC 5424)
  syslog {
    port => 5140
  }
}

filter {
  # Add timestamp if not present
  if ![timestamp] {
    mutate {
      add_field => { "timestamp" => "%{@timestamp}" }
    }
  }

  # Parse JSON message body if present
  if [message] =~ /^\{/ {
    json {
      source => "message"
      target => "parsed"
      skip_on_invalid_json => true
    }
  }

  # Add metadata
  mutate {
    add_field => { "[@metadata][pipeline]" => "elk-docker" }
  }
}

output {
  elasticsearch {
    hosts => ["http://elasticsearch:9200"]
    user => "logstash_internal"
    password => "${LOGSTASH_INTERNAL_PASSWORD}"
    index => "logstash-%{+YYYY.MM.dd}"
    manage_template => false
  }
}