Filebeat Index Variables

KWBrandenWagner · July 23, 2019, 2:37pm

I'm sure this is already written somewhere, but I am obviously looking for the wrong words.

I just started using the SIEM in 7.2 and its working pretty good
I am using Filebeat modules for Zeek and Suricata. I want each of them to go into their own index something like filebeat-{MODULE-DATE} but I can't figure out how to do that. I'm assuming there is a module variable set somewhere..
Can this be done with filebeat? Or do i need to pass through a Logstash instance to accomplish this? Is there a list of filebeat system variables?

Thanks

pierhugues · July 25, 2019, 6:11pm

Hello @KWBrandenWagner,

Yes all modules add data to the events and you can use them after to generate the index. If you define the index in the output using the following I believe you will get what you want.

  index: "filebeat-%{[event.module]}-%{+yyyy.MM.dd}"

You might have to check your index pattern in kibana after, to make sure the siem app see the data.

Topic		Replies	Views
Dynamic filebeat index naming Beats beats-module , filebeat	2	385	July 22, 2020
Override index name while using the inbuilt filebeat modules Beats beats-module , filebeat	6	1143	August 10, 2020
Filebeat modules es index names Beats filebeat	2	337	July 18, 2019
One index/index template per module Beats beats-module , filebeat	1	405	February 16, 2022
Using Filebeat with multiple indices and logstash Beats filebeat	4	2831	January 13, 2020

Filebeat Index Variables

Related topics