I'd like to use a custom pipeline for some logs and collect system events - everything by a single Filebeat instance. The question - is the following config "a good way" to do that? I had to configure index names and pipelines for the module system explicitly in the ES output:
output.elasticsearch:
enabled: true
hosts: ["192.168.188.21:9200"]
indices:
# date suffix will be added in the pipeline
- index: "ecs-net-7"
when.equals:
event.module: "tcpdump"
- index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"
when.equals:
event.module: "system"
pipelines:
- pipeline: "resolve-ip-and-ports"
when.equals:
event.module: "tcpdump"
- pipeline: "filebeat-%{[agent.version]}-system-syslog-pipeline"
when.contains:
log.file.path: "/system"
- pipeline: "filebeat-%{[agent.version]}-system-auth-pipeline"
when.contains:
log.file.path: "/auth"
Actually, my expectation was - Filebeat would recognize module's settings (index and pipeline names) automatically, but it wouldn't.