hi, custom indexes didn't creating using winlogbeat-7.2.1 version.
Below my winlogbeat configuration that properly works in winlogbeat 6.8.1.
###################### wlb Configuration ##########################
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
level: critical, error, warning
- name: System
ignore_older: 72h
level: critical, error, warning
- name: DFS Replication
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
event_id: 21
ignore_older: 72h
setup.template:
name: "custom-sys"
pattern: "custom-sys-*"
settings:
index.number_of_shards: 1
index.number_of_replicas: 1
index.codec: best_compression
name: "custom-app"
pattern: "custom-app-*"
settings:
index.number_of_shards: 1
index.number_of_replicas: 1
index.codec: best_compression
name: "custom-sec"
pattern: "custom-sec-*"
settings:
index.number_of_shards: 1
index.number_of_replicas: 1
index.codec: best_compression
output.elasticsearch:
# Array of hosts to connect to.
indices:
- index: "custom-sys-%{+yyyy.MM}"
when:
or:
- equals.log_name: "System"
- equals.log_name: "DFS Replication"
- index: "custom-app-%{+yyyy.MM}"
when.equals:
log_name: "Application"
- index: "custom-sec-%{+yyyy.MM}"
when.equals:
log_name: "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
hosts: ["myelasticsearch:9200"]
Could you please help me to solve the issue, thanks.
I'm following the documentation:https://www.elastic.co/guide/en/beats/winlogbeat/current/elasticsearch-output.html
setup.ilm.enabled: false
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
event_id: 21
ignore_older: 72h
setup.template.settings:
index.number_of_shards: 1
index.number_of_replicas: 0
output.elasticsearch:
hosts: ["elasticsearch:9200"]
indices:
- index: "wlb-test-app-%{+yyyy.MM}"
when.equals:
log_name: "Application"
- index: "wlb-test-sec-%{+yyyy.MM}"
when.equals:
log_name: "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
But indexes created with defaults names:
If I specify index: before indices: I will send all logs into one Index.
I have created my whole cluster (because I have contenerized elk, kibana and filebeat) from begining with also set:
setup:
ilm:
enabled: false
but still have only one index filebeat-*
any help?
stefws
December 7, 2019, 7:49pm
4
Remember that indention matters so try to indenting all settings under your setup.template properly like:
setup.template:
name: "custom-sys"
pattern: "custom-sys-*"
settings:
index.number_of_shards: 1
index.number_of_replicas: 1
index.codec: best_compression
name: "custom-app"
pattern: "custom-app-*"
settings:
index.number_of_shards: 1
index.number_of_replicas: 1
index.codec: best_compression
name: "custom-sec"
pattern: "custom-sec-*"
settings:
index.number_of_shards: 1
index.number_of_replicas: 1
index.codec: best_compression
or use full qualifying name ala:
setup.template.name: "custom-sys"
setup.template.pattern: "custom-sys-*"
setup.template.settings.index.number_of_shards: 1
setup.template.settingsindex.number_of_replicas: 1
setup.template.settings.index.codec: best_compression
setup.template.name: "custom-app"
setup.template.pattern: "custom-app-*"
setup.template.settings.index.number_of_shards: 1
setup.template.settings.index.number_of_replicas: 1
setup.template.settings.index.codec: best_compression
setup.template.name: "custom-sec"
setup.template.pattern: "custom-sec-*"
setup.template.settings.index.number_of_shards: 1
setup.template.settings.index.number_of_replicas: 1
setup.template.settings.index.codec: best_compression
No, it's not working. The latest elasticsearch version that separate by indexes is 6.8.1
system
January 8, 2020, 4:32pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
