Change index name in winlogbeat

witkacy · July 26, 2021, 12:02pm

Hello,

How can I change default name of Elasticsearch index in winlogbeat configuration?

I tried this but with no success:

winlogbeat.event_logs:
  - name: MY-Log
    ignore_older: 1h
    processors:
      - decode_xml:
            field: message
            target_field: xml_message
            ignore_missing: true
            ignore_failure: true
      - drop_fields:
            fields: ["host", "log", "event", "winlog", "message"]      
setup.template.settings:
 
setup.kibana:
queue.mem:
  events: 4096
  flush.min_events: 500
  flush.timeout: 10s
   
output.elasticsearch:
  hosts: ["http://localhost:9200"]
  output.elasticsearch.index: "customname-%{[agent.version]}-%{+yyyy.MM.dd}"

legoguy1000 · July 26, 2021, 12:49pm

This should just be index: as it is already under the output.elasticsearch block.

witkacy · July 26, 2021, 1:17pm

Thanks @legoguy1000 ,

looks that now configuration is ok but in the winlogbeat log I can see:

2021-07-26T15:14:16.884+0200 INFO [index-management] idxmgmt/std.go:184 Set output.elasticsearch.index to 'winlogbeat-7.13.2' as ILM is enabled.

legoguy1000 · July 27, 2021, 1:03am

I think u need to turn ILM off or it will default to that and override the index setting. Set setup.ilm.enabled: false

system · August 24, 2021, 3:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Changing the index name for winlogbeat sent to elasticsearch Beats winlogbeat	7	3319	March 27, 2019
Unable to change the default index name in Winlogbeat.yml Beats winlogbeat	2	935	July 31, 2018
How do I change winlogbeat's index name to anything other than winlogbeat? Beats winlogbeat	2	540	October 14, 2020
Rename the WinlogBeat index Beats winlogbeat	6	1442	March 30, 2018
Change loaded index name Beats winlogbeat	7	1051	May 8, 2020

Change index name in winlogbeat

Related topics