Beats to create daily index

headtea · September 1, 2020, 1:03pm

Auditbeat is configured to send data to Elasticsearch directly. I'm trying to get auditbeat to create a new index every day. Right now this is the index that beats uses: auditbeat-7.9.0-2020.08.24-000001, even though today is 2020.09.01.

For that, I've set up these lines in auditbeat.yml:

output.elasticsearch:
  index: "auditbeat-%{[agent.version]}-%{+yyyy.MM.dd}"
  setup.template.name: "auditbeat"
  setup.template.pattern: "auditbeat-*"

But when I start auditbeat I get this:

Exiting: setup.template.name and setup.template.pattern have to be set if index name is modified

Does anyone know why I get this? As seen in my .yml file I have included these fields.

Thanks ahead!

Kaiyan_Sheng · September 1, 2020, 11:41pm

I think https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html#index-creation is what you are looking for. You can add auditbeat-* into the list for action.auto_create_index setting.

warkolm · September 2, 2020, 12:31am

I think this topic relates to your other ones on ILM, as Auditbeat is using ILM here.

system · September 30, 2020, 2:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.