Change index name in winlogbeat

witkacy · July 26, 2021, 12:02pm

Hello,

How can I change default name of Elasticsearch index in winlogbeat configuration?

I tried this but with no success:

winlogbeat.event_logs:
  - name: MY-Log
    ignore_older: 1h
    processors:
      - decode_xml:
            field: message
            target_field: xml_message
            ignore_missing: true
            ignore_failure: true
      - drop_fields:
            fields: ["host", "log", "event", "winlog", "message"]      
setup.template.settings:
 
setup.kibana:
queue.mem:
  events: 4096
  flush.min_events: 500
  flush.timeout: 10s
   
output.elasticsearch:
  hosts: ["http://localhost:9200"]
  output.elasticsearch.index: "customname-%{[agent.version]}-%{+yyyy.MM.dd}"

legoguy1000 · July 26, 2021, 12:49pm

This should just be index: as it is already under the output.elasticsearch block.

witkacy · July 26, 2021, 1:17pm

Thanks @legoguy1000 ,

looks that now configuration is ok but in the winlogbeat log I can see:

2021-07-26T15:14:16.884+0200 INFO [index-management] idxmgmt/std.go:184 Set output.elasticsearch.index to 'winlogbeat-7.13.2' as ILM is enabled.

legoguy1000 · July 27, 2021, 1:03am

I think u need to turn ILM off or it will default to that and override the index setting. Set setup.ilm.enabled: false

system · August 24, 2021, 3:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Changing the index name for winlogbeat sent to elasticsearch Beats winlogbeat	7	3209	March 27, 2019
Unable to change the default index in Winlogbeat.yaml Beats winlogbeat	15	2204	January 2, 2018
Change the default index pattern of winlogbeat? Beats winlogbeat	3	2122	July 17, 2018
How to change elasticsearch output index with default template Beats filebeat	3	1091	May 16, 2019
Winlogbeat 7.2.0 index name not changing despite specifying setup.template.name, setup.template.pattern Beats winlogbeat	5	1128	September 3, 2019

Change index name in winlogbeat

Related Topics