Hello,
In my new setup i created a beat.conf so i can receive my data from a windows machine with winlogbeat installed and set the output to elastic.
When i create an index i can choose betwen logstash and winlogbeat and in monitoring i'm seeing 2 indices with the same size.
I think i'm collecting and storing the data twice, what am i doing wrong?
You will probably need to share your beat and Logstash config, minus comments 
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["http://10.0.0.46:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
settings modified in logstash.yml:
http.host: "10.0.0.46"
Where is your winlogbeat output?
Normally you have to comment the elasticsearch output and uncomment the logstash output.
Are you running Logstash as a service? Do you by any chance have more than one file containing an elasticsearch output in the config directory? Be aware that Logstash will concatenate all files into a single logical pipeline, which means that data from all inputs will go to all outputs unless you control the flow using conditionals.
Ah yes i found it, i had another config file for syslog, i did not use it yet so i deleted it i now its fine.
thanx for your input
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.