Customized Index pattern

Hello,

I have a centralized ELK server, where data is getting shipped via winlogbeat and filebeat installed on client machines. Now I am trying to route cisco-asa devices logs to this server. Upto some extent I am bit successful in getting the data, but facing issue to create a new index pattern for it via logstash configuration. Please check below configuration and help me in fixing it (below config is not working):

Just to make it more clear,
when I get data from winlogbeat and filebeat, I get indexes in winlogbeat-* filebeat-* format.
I want the same kind of format for firewall logs, but instead I am getting them in
%{[@metadata][beat]}-* format. I want it to achieve in firewall-* format.

input.conf

input {
beats {
port => 6099
}

udp {
port => 5000
type => "cisco-asa"
}

}

output.conf

output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false

if [type] == "cisco-asa" {
index => "firewall-%{+YYYY.MM.dd}" }

if [type] != "cisco-asa" {
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" }
}

stdout {
codec => rubydebug }
}

Hi @Yashwant_Shettigar,

I got tired of conditionals in the output section and handle "index routing" like thie

input {
  udp {
    port => 5516
    codec => "json"
    add_field => {
      "[@metadata][index]" => "accesslog"
      "[@metadata][log_prefix]" => "dc"
    }
  }
 }
filter {}

output {

  elasticsearch {
        hosts => ["10.1.1.1:9200"]
        index => "%{[@metadata][log_prefix]}-%{[@metadata][index]}-%{+YYYY.MM.dd}"
  }

}

So I set metadata fields per input that I use later on the output. These metadata fields can also be added or manipulated in the filter section...

If I remember correctly from the time I did use if statements for the outputs, you need to have the if statement in the root of the output section and have the whole elasticsearch config within each if.

Bravooooo A_B !!!
Thanks a lot for the solution.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.