Change index name in winlogbeat

witkacy · July 26, 2021, 12:02pm

Hello,

How can I change default name of Elasticsearch index in winlogbeat configuration?

I tried this but with no success:

winlogbeat.event_logs:
  - name: MY-Log
    ignore_older: 1h
    processors:
      - decode_xml:
            field: message
            target_field: xml_message
            ignore_missing: true
            ignore_failure: true
      - drop_fields:
            fields: ["host", "log", "event", "winlog", "message"]      
setup.template.settings:
 
setup.kibana:
queue.mem:
  events: 4096
  flush.min_events: 500
  flush.timeout: 10s
   
output.elasticsearch:
  hosts: ["http://localhost:9200"]
  output.elasticsearch.index: "customname-%{[agent.version]}-%{+yyyy.MM.dd}"

legoguy1000 · July 26, 2021, 12:49pm

This should just be index: as it is already under the output.elasticsearch block.

witkacy · July 26, 2021, 1:17pm

Thanks @legoguy1000 ,

looks that now configuration is ok but in the winlogbeat log I can see:

2021-07-26T15:14:16.884+0200 INFO [index-management] idxmgmt/std.go:184 Set output.elasticsearch.index to 'winlogbeat-7.13.2' as ILM is enabled.

legoguy1000 · July 27, 2021, 1:03am

I think u need to turn ILM off or it will default to that and override the index setting. Set setup.ilm.enabled: false

system · August 24, 2021, 3:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.