Iam a newbie using ELK stack , with this order
Filebeat -> elasticsearch -> Kibana
and using Cisco Module to parse a cisco asa firewall logs
priblem is that the index of filebeat is created elasitcsearch but without the data its created empty .
Filebeat.yml module
filebeat.inputs:
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: enable
reload.period: 10s
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "localhost:5601"
output.elasticsearch:
hosts: ["localhost:9200"]
and this is my Cisco module
- module: cisco
asa:
enabled: true
# Set which input to use between syslog (default) or file.
var.paths: ["file path "]
var.input: "file"
level.html
var.log_level: 7
ftd:
enabled: false
ios:
enabled: false
this is the elasticsearch query for avalible indices the file size is 4 Gb and the index size is 208b
health -> yellow
status -> open
index -> filebeat-7.7.1-2020.06.09-000001
uuid -> 82OAOrrLQoaS_9bQKJWgrg
pri -> 1
rep -> 1
docs.count -> 0
docs.deleted -> 0
store.size -> 208b
pri.store.size -> 208b