Hi @griffer98
It is different from your example... as I just ran mine and it worked exactly, you have extra lines.
Assuming you are starting from the base filebeat.yml did you see the docs here for the next practice.
One Caution if you set the dashboard setting only have it enabled when you run `filebeat setuip1 then comment it out... otherwise it will try to load the dashboards everytime you start
My Entire Fielbeeat this is my entire filebeat not a snippet
filebeat.inputs:
- type: filestream
id: my-filestream-id
enabled: true
paths:
- /var/log/*.log
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.template.name: "myindex-%{[agent.version]}"
setup.template.pattern: "myindex-%{[agent.version]}"
setup.kibana:
output.elasticsearch:
hosts: ["localhost:9200"]
index: "myindex-%{[agent.version]}"
preset: balanced
Then run setup it create template and data stream
.\filebeat setup -e
Then Run
`.\filebeat -e``
Then running ships the data to the correct backing index
GET myindex-8.12.1/_search
# Result
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 10000,
"relation": "gte"
},
"max_score": 1,
"hits": [
{
"_index": ".ds-myindex-8.12.1-2024.02.27-000001",
"_id": "gZSj7I0BBi-RUJEfXTUa",
"_score": 1,
"_source": {
"@timestamp": "2024-02-27T22:15:35.481Z",
"input": {
"type": "filestream"
},
"ecs": {
"version": "8.0.0"
},
"host": {
"mac": [
"16-29-36-97-5A-61",
"2A-79-B1-6A-5B-54",
"5C-52-30-9C-EF-E0",
"5E-52-30-C9-1E-64",
"7E-52-30-9C-EF-E0",
"82-B2-58-49-30-00",
"82-B2-58-49-30-01",
"82-B2-58-49-30-04",
"82-B2-58-49-30-05",
"AC-DE-48-00-11-22"
],
"hostname": "hyperion.local",
"architecture": "x86_64",
"os": {
"family": "darwin",
"name": "macOS",
"kernel": "23.3.0",
"build": "23D60",
"type": "macos",
"platform": "darwin",
"version": "14.3.1"
},
"id": "9E46F076-B7F1-53AA-921B-C2F983746B79",
"ip": [
"fe80::aede:48ff:fe00:1122",
"fe80::1044:6645:65ff:4a82",
"10.0.5.189",
"fe80::2879:b1ff:fe6a:5b54",
"fe80::2879:b1ff:fe6a:5b54",
"fe80::464f:d4f:a4e2:74b8",
"fe80::5717:2cd1:1158:7ad",
"fe80::3ad7:2f31:4b2:436a",
"fe80::ce81:b1c:bd2c:69e",
"192.168.64.1",
"fe80::5c52:30ff:fec9:1e64",
"fd4f:f065:6c04:18a9:1ca9:5641:25f7:9947"
],
"name": "hyperion.local"
},
"agent": {
"name": "hyperion.local",
"type": "filebeat",
"version": "8.12.1",
"ephemeral_id": "afc195d0-8ba1-4fb7-9553-a8d326878818",
"id": "8494fae1-ecc8-4b6b-be8a-6f8f770bc5c5"
},
"message": """Wed Feb 21 22:27:26 hyperion jamf[38716]: Checking for policies triggered by "recurring check-in" for user "sbrown"...""",
"log": {
"offset": 2294128,
"file": {
"path": "/var/log/jamf.log",
"device_id": "16777221",
"inode": "87944943"
}
}
}
},
....