Filebeat Index Variables

KWBrandenWagner · July 23, 2019, 2:37pm

I'm sure this is already written somewhere, but I am obviously looking for the wrong words.

I just started using the SIEM in 7.2 and its working pretty good
I am using Filebeat modules for Zeek and Suricata. I want each of them to go into their own index something like filebeat-{MODULE-DATE} but I can't figure out how to do that. I'm assuming there is a module variable set somewhere..
Can this be done with filebeat? Or do i need to pass through a Logstash instance to accomplish this? Is there a list of filebeat system variables?

Thanks

pierhugues · July 25, 2019, 6:11pm

Hello @KWBrandenWagner,

Yes all modules add data to the events and you can use them after to generate the index. If you define the index in the output using the following I believe you will get what you want.

  index: "filebeat-%{[event.module]}-%{+yyyy.MM.dd}"

You might have to check your index pattern in kibana after, to make sure the siem app see the data.

system · August 22, 2019, 6:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat system modules Beats filebeat	18	5633	May 1, 2018
Filebeat modules es index names Beats filebeat	2	326	July 18, 2019
Using Filebeat with multiple indices and logstash Beats filebeat	4	2723	January 13, 2020
Filebeat Events are shown at Kibana Discovery, but not at SIEM SIEM	3	513	July 21, 2020
Problem creating index Beats filebeat	7	573	May 25, 2020

Filebeat Index Variables

Related topics