Hello everyone,
So i have ELK configured on a server and filebeat configured on a bunch of other servers which will be sending their log files to the ELK server. Now i need to be able to differentiate each servers' logs by the index name, but im not sure how can i do that.
Does the index name gets configured at the filebeat client or does it happen when it reaches logstash?
Thanks in advance for any help or guides.
Cheers!
Hi @Ghaith_Haddad,
if you want to set a custom index template name at each Filebeat
setup.template.name: "filebeat-server1"
setup.template.pattern: "filebeat-server1-*"
But I would say it is a better choice to look for a field that traces each server instance if you want to manage all logs in a single index.
Have you tried add_host_metadata ?
Also, adding your own fields could help here
Hi,
I'm struggling with the exact same issue. I've specified an index name under output, and am pointing setup.template.name and setup.template.pattern to the one I created based on the filebeat template.
setup.template.name: "yt-management"
setup.template.pattern: "yt-management-*"
and output has:
output.elasticsearch:
index: "yt-management-%{+yyyy.MM.dd}"
What am I missing here? My log output states
Sep 30 03:47:16 tw-man-srv01.prd01.activeinfra.net filebeat[21582]: 2019-09-30T03:47:16.684Z INFO [index-management] idxmgmt/std.go:178 Set output.elasticsearch.index to 'filebeat-7.3.2' as ILM is enabled.
even though I specify a custom index name.
Any help is greatly appreciated, been struggling with this two days already.
Kind regards,
Eric V.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.