Ah, okay that's easy then. That seems to be working, because I have a new index with that name. My next problem is the 'type' being set. If I hook up stdout { codec => rubydebug} I get two types defined, and I think my filter is looking at the other one.
A sample from my debug log:
{
"message" => "2015-11-03 14:43:14 W3SVC12 ca-web04 10.117.1.14 GET /test.jpg - 80 - 10.117.1.22 useragent - domain 200 0 0 9369 452 29 1.2.3.4 http",
"@version" => "1",
"@timestamp" => "2015-11-03T14:44:26.376Z",
"count" => 1,
"fields" => {
"type" => "iis"
},
"fileinfo" => {},
"input_type" => "",
"line" => 4,
"offset" => 1763763,
"shipper" => "MarkDesktop",
"source" => "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex151103_x.log",
"type" => "log"
}
So it looks like my filebeat.yml is just adding a field that happens to be called type to the data, rather than setting the actual type (which defaults to "log")
# filebeat.yml
filebeat:
prospectors:
-
paths:
- "C:/inetpub/logs/LogFiles/W3SVC1/*.log"
fields:
type: iis
output:
elasticsearch:
enabled: false
logstash:
enabled: true
hosts: ["logstash:5044"]
shipper:
Could I perhaps be having a related problem as this post: Misleading type attribute in filebeat config? Maybe I need to wait for RC1.