if you want to pass through
beats->logstash->es
and have all the templates, ILM, pipelines etc work your logstash conf should look like this.
Configure the correct Elasticsearch endpoint and creads.
Do not change the other settings, ILM and Pipelines etc
################################################
# beats->logstash->es default config.
################################################
input {
beats {
port => 5044
}
}
output {
if [@metadata][pipeline] {
elasticsearch {
hosts => "http://localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
pipeline => "%{[@metadata][pipeline]}"
user => "elastic"
password => "secret"
}
} else {
elasticsearch {
hosts => "http://localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
user => "elastic"
password => "secret"
}
}
}
The general process for this is if you want to use all the beats functionality but pass through logstash.
- You may need to clean up.
- Configure your beats / modules how you want.
- Point the beats output to elasticsearch and run
packetbeat setup -e
- Then go back into packetbeat.yml and configure the output to logstash, comment out the elasticsearch output.
- Start logstash with the conf above
- Start packetbeat
When you name the index with the -00001
etc it will never write to the new index etc.