Hi people,
I have 3 elk for different logs, I want to make only one big elk but separate these logs. Can I do 3 different indices? How do I indicate the filebeat to which index should I send? Where can I read about this?
thanks
Hi,
Here:
You need to set the index in your filebeat.yml file under the output.elasticsearch key.
output.elasticsearch:
# Boolean flag to enable or disable the output module.
#enabled: true
# Array of hosts to connect to.
# Scheme and port can be left out and will be set to the default (http and 9200)
# In case you specify and additional path, the scheme is required: http://localhost:9200/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
hosts: ["localhost:9200"]
# Optional index name. The default is "filebeat" plus date
# and generates [filebeat-]YYYY.MM.DD keys.
# In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
index: "project1-%{[agent.version]}-%{+yyyy.MM.dd}"
If you use a json syntaxe:
{
"output.elasticsearch": {
"hosts": [
"localhost:9200"
],
"index": "project1-%{+yyyy.MM.dd}"
},
Just set the index name you want for each configuration and keep the same hosts and you are done.
Need to consider about the disk space, the network and CPU usage, be sure that your server can handle correctly 3 source input in same time.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.