Filebeat custom index

richard_N · July 26, 2019, 12:56pm

I'm running filebeat 7.2 and trying to capture some exchange logs and put them in their own custom index but they always seem to end up in the default filebeat index. Below is my filebeat.yml. I've tried setting the setup.template options to several different things with no luck. I want them to go into an index 'filebeat-exchange-*'

filebeat.inputs:

type: log
enabled: true
paths:
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\Connectivity*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Frontend\ProtocolLog\Connectivity*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Frontend\ProtocolLog\SmtpSend*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Frontend\ProtocolLog\SmtpReceive*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Mailbox\Connectivity\Delivery*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Mailbox\Connectivity\Submission*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Mailbox\ProtocolLog\SmtpReceive\Delivery*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Mailbox\ProtocolLog\SmtpReceive\Submission*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Mailbox\ProtocolLog\SmtpSend\Delivery*.LOG
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Mailbox\ProtocolLog\SmtpSend\Submission*.LOG

setup.template:
name: "filebeat"
pattern: "filebeat-*"
overwrite: true

output.elasticsearch:
hosts:
- es01:9200
- es02:9200
- es03.9200
index: "filebeat-exchange-%{[agent.version]}-%{+yyyy.MM.dd}"

tags: ["mail", "exchange"]

rugenl · July 26, 2019, 3:41pm

I think ILM may be the indirect cause here... With the 7.x versions ILM is enabled (says auto), so the default for the ilm_rollover_alias is "filebeat", and that field takes precidence over the index name.

Check the logs for the first startup, see if it tried to do things with "lifecycle management".

To verify if it's ILM confusion, you can set ilm_enabled: false.

We are sending exchange logs thru Logstash because there are a lot of fields to parse and process.... and most of their logs have a different format and the thought of common fields names is complete foreign to M$.

system · August 23, 2019, 3:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebat - Create a custom index on elasticsearch Beats filebeat	14	4771	October 23, 2019
Logs geeting stored in default filebeat 7.7.1 index and custom index not getting created Beats filebeat	3	552	July 17, 2020
Filebeat custom index name without logstash Beats filebeat	8	6269	January 24, 2019
Logstash not creating correct index for filebeat and packet beat Logstash	2	1768	July 6, 2017
Filebeat for both system\|service logs and application logs Beats filebeat	8	537	August 14, 2019

Filebeat custom index

Related topics