Apache module custom index is ignored

Hi there,

We've upgraded from filebeats 6.8.2 to 7.9.2, and all our logs are getting to ElasticSearch, yet the Apache logs are getting through with the default index (filebeat-version-date type setup) instead of the custom index that worked in 6.8.2. On 6.8.2, we added the below:

    indices:
    - index: team-system_role_apache_%{+yyyy_ww}
      when.equals:
        fileset.module: apache2
    - index: "%{[fields.log_type]}-%{+yyyy_ww}"

This worked in filebeats 6, and everything coming from the apache module on this server's index would be changed to have team-system_role_apache_2020_11 for example.

Now for filebeat 7.9.2, we changed to the below config:

    indices:
    - index: team-system_role_apache_%{+yyyy_ww}
      when.equals:
        event.module: apache
    - index: "%{[fields.log_type]}-%{+yyyy_ww}"

But the logs are still getting to the server with the default filebeat-version-date type index.

Is something incorrect in this config? The module is enabled and the logs are getting to the Target, just they are not getting this index applied at all. This is all done in filebeat.yml, more config settings pertaining to this, below:

filebeat:
  modules:
  - module: apache
    access:
      var.paths:
      - "/var/log/apache2/*access*.log"
    error:
      var.paths:
      - "/var/log/apache2/*error*.log"

I have included the second index, that simply appends the year and week number to all non-apache indexes and this is still added, it's just the apache one that's not working...

Am I missing something?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.