Change auditd modules index name

Mohammad.ali · August 21, 2019, 7:34am

Hello everyone
i enable filebeat audit modules but the question is how can i change the default index name which is filebeat*?

faec · August 22, 2019, 7:29pm

You probably want the index parameter in output.elasticsearch -- see the configuration docs here

Mohammad.ali · August 23, 2019, 6:26pm

Thanks for your reply
what i have done so far

1.) Enable the auditd modules

module: auditd
log:
enabled: true
var.paths: ["/var/log/audit/audit.log"]

2.) config my filebeat.yml file

setup.template.name: "audit"
setup.template.pattern: "audit-*"
setup.template.enable: true
setup.template.overwrite: true
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false

output.elasticsearch:
hosts: ["localhost:9200"]
index: "audit-%{+yyyy.MM.dd}"

But when i start the service the default template is still used which is filebeat*

system · September 20, 2019, 6:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to change elasticsearch output index with default template Beats filebeat	3	1092	May 16, 2019
Index name for modules Beats filebeat	4	1359	September 11, 2019
Comand line Filebeat Beats filebeat	3	408	April 17, 2018
How to specify different index name rather than the default? Beats filebeat	1	292	February 15, 2023
Can't modify the default index name Beats filebeat	2	1854	August 8, 2019

Change auditd modules index name

Related topics