Change the default index pattern of winlogbeat?

brisingertrece · June 19, 2018, 11:22am

Hi, I am trying to change the default pattern for the indexes generated by winlogbeat.
I have followed the indications of the official documentation, but at some point I have missed something ...

winlogbeat.yml:

#==================== Elasticsearch template setting ==========================

setup.template.settings:
setup.template.name: "coliflower"
setup.template.pattern: "coliflower-*"
...
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:

Array of hosts to connect to.

enabled: true
hosts: ["myip:9200"]
index: "coliflower-%{+yyyy.MM.dd}"

winlogbeat\kibana\default\index-pattern\winlogbeat.json (I change winlogbeat-* for that):

...
"timeFieldName": "@timestamp",
"title": "coliflower-"
},
"id": "coliflower-",
"type": "index-pattern",
"version": 1
}
],
"version": "6.1.0"
}

winlogbeat\kibana\5.x\index-pattern (I change winlogbeat-* for that):

...
"timeFieldName": "@timestamp",
"title": "coliflower-*"
}

Results log:

CRIT Exiting: setup.template.name and setup.template.pattern have to be set if index name is modified.

If I put the following in the elasticsearch output (winlogbeat.yml):

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:

Array of hosts to connect to.

enabled: true
hosts: ["myip:9200"]
output.elasticsearch.index: "coliflower-%{+yyyy.MM.dd}"

It starts but the indexes in elastic are:

yellow open winlogbeat-6.1.1-2018.06 ...
yellow open winlogbeat-6.1.1-2018.06 ...
yellow open winlogbeat-6.1.1-2018.06 ...

Someone knows what I'm doing wrong, the only thing I want is to change the name...

andrewkroh · June 19, 2018, 3:05pm

Firstly, please do not post screenshots of text. Just paste the raw text and surround it with three back-ticks to retain formatting.

Here's an example for changing the index name to use ISO weekly index naming. Adjust accordingly based on your naming requirements. But basically you need to set three settings when customizing the index naming (setup.template.name, setup.template.pattern, and output.elasticsearch.index).

setup.template:
  name:    'winlogbeat-%{[beat.version]}'
  pattern: 'winlogbeat-%{[beat.version]}-*'

output.elasticsearch:
  hosts: ['http://localhost:9200']
  index: 'winlogbeat-%{[beat.version]}-%{+xxxx.ww}'

brisingertrece · June 19, 2018, 3:35pm

This has worked perfect for me.
Thanks Andrew

system · July 17, 2018, 5:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to change the default index in Winlogbeat.yaml Beats winlogbeat	15	2204	January 2, 2018
Changing the index name for winlogbeat sent to elasticsearch Beats winlogbeat	7	3211	March 27, 2019
How to configure winlogbeat to use existing index in elasticsearch Beats	5	511	October 4, 2018
Changing index pattern refuses to start Beats winlogbeat	3	475	November 10, 2018
Change index name in winlogbeat Beats winlogbeat	4	297	August 24, 2021

Change the default index pattern of winlogbeat?

Array of hosts to connect to.

Array of hosts to connect to.

Related topics