Hello everyone
i enable filebeat audit modules but the question is how can i change the default index name which is filebeat*?
You probably want the index parameter in output.elasticsearch -- see the configuration docs here
1 Like
Thanks for your reply
what i have done so far
1.) Enable the auditd modules
- module: auditd
log:
enabled: true
var.paths: ["/var/log/audit/audit.log"]
2.) config my filebeat.yml file
setup.template.name: "audit"
setup.template.pattern: "audit-*"
setup.template.enable: true
setup.template.overwrite: true
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
output.elasticsearch:
hosts: ["localhost:9200"]
index: "audit-%{+yyyy.MM.dd}"
But when i start the service the default template is still used which is filebeat*
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.