Change index name for threatintel module, good idea?


I am trying to change the name of the index for threatintel module from "filebeat" to "threatintel".

It does not make much sense to me to bury these documents amongst millions of logs. Or does it? Am I missing something?

While trying to change the index name, I have encountered many issues such as

  • threatintel dashboards not using threatintel index
  • then all dashboards using threatintel index
  • index template not named correctly (threatintel-7.6.13 instead of threatintel)
  • filebeat setup requiring "" and "setup.template.pattern" when the doc says those settings are ignored when ILM is used
  • filebeat sending documents to the wrong index ("threatintel-7.16.3-2022.01.23" instead of "threatintel-7.16.3-2022.01.23-000001")

And I have not yet tried to run rules ...

I am starting to think that every single configuration is mostly hardcoded and really difficult to change.

Is it actually a good idea to change the index name for threatintel documents?


Its fine, just use something like filebeat-threatintel.... they way the dashboards will still work.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.