Filebeat 7.0.0 rename index

Elastic Stack Beats
1

Hello everyone,

I've tested lately filebeat 7.0.0. but coudn't get it to work with my elasticsearch-cluster (also version 7.0.0). Whenever I used the appropiate way to change the index name:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-template.html
First I had to disable ILM which isn't stated anywhere and after this data is incoming into ES under my newly created Index. Unfortunatly the data isn't complete, because all fields are missing...

FYI: I use the system-module to collect syslog and auth logs.

I would like to hear If anyone use this type of configuration and can help out with some configuration snippets, or help troubleshooting.

2

Hi @nimda, welcome to the Elastic discussion forums :wave:!

Unfortunately it's currently not possible to change the index name with ILM enabled. And you're right that we don't state this clearly in our docs at the moment. I've created an issue to fix this: [Docs] Add documentation about index management · Issue #11866 · elastic/beats · GitHub.

Can you elaborate on this please? Is your index being created at all? Are there any warnings or errors in the Filebeat logs?

3

I downgraded my whole Infrastructure back to 6.7.1 and it is now working fine. Fields missing means, that the data was visible through kibana but only the timestamps, no other fields where inserted. I just had the @timestamp field.

I've tried to insert the template manually but this didn't solve my problem. Personally for me it is very hard to get around what ILM is doing. I get the point from the documentation, but I coudn't get the point how ILM is connecting my costum-named-template to an exsisting ILM-Policy? Is it actually doing this? Or just ignoring the ILM-Polcy if I already have inserted the defaut one? How can I change the name of the default policy? So many questions... :smiley:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.