Enable 2 different filebeat modules & send to different index name

TsuWeiQuan · June 27, 2019, 6:24am

Hello,

I am trying to use a single filebeat, enabled with system & apache module to send to elasticsearch. I would want to have a system index and a apache index. How can i do this?
ILM is enabled for me and for a single module, i set my index via this setting:

setup.ilm.enabled: auto
setup.ilm.rollover_alias: "filebeat-linuxclient"
setup.ilm.pattern: "{now/d}-000001"
setup.ilm.overwrite: false

now i would like to have filebeat-linuxclient-system and filebeat-linuxclient-apache as the alias.

This is my current filebeat.yml file settings for enabling system module:

filebeat.inputs:

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true

setup.template.settings:
  index.number_of_shards: 1

setup.kibana:
  host: "kibana:5601"

output.elasticsearch:
  hosts: ["esnode1:9200", "esnode2:9200", "esnode3:9200"]

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

logging.metrics.period: 60

setup.ilm.enabled: auto
setup.ilm.rollover_alias: "filebeat-linuxclient"
setup.ilm.pattern: "{now/d}-000001"
setup.ilm.overwrite: false

How can i do this?

Evesy · June 27, 2019, 8:48pm

Hi,

Does my comment in this thread help with what you're trying to achieve?

TsuWeiQuan · June 28, 2019, 10:41am

Should I comment out the ILM settings?

I guess I should write these settings in filebeat.yml and

output.elasticsearch:
  index: "default-%{+yyyy.MM.dd}"
  indices:
    - index: "filebeat-system-%{+yyyy.MM.dd}"
      when.equals:
        application: "system"
    - index: "filebeat-apache-%{+yyyy.MM.dd}"
      when.equals:
        application: "apache"

Do I need to tag application: system and application: apache in their modules config file?

Evesy · June 28, 2019, 10:44am

I'm not familiar with ILM so I can't say what you'd want to do with that.

application was just an example of a potential field name you could use to differentiate between the two log sources.

I think given you're using two different modules you can probably use the event.module field or something similar to configure different index outputs.

TsuWeiQuan · June 28, 2019, 11:04am

Alright i will give it a try! Thanks

system · July 26, 2019, 11:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Send to different indices with filebeat modules and ILM enabled Beats filebeat	1	815	February 25, 2021
Custom Index Name for Apache Module, but using ILM as well Beats filebeat	3	889	May 4, 2020
ILM and using one index per Filebeat module Beats filebeat	3	1338	November 28, 2019
Issue with sending apache logs to elasticsearch with different indices Beats filebeat	1	399	July 5, 2023
Filebeat, ILM and multiple indices Beats filebeat	7	3359	March 29, 2020

Enable 2 different filebeat modules & send to different index name

Related topics