Filebeat Index Variables

KWBrandenWagner · July 23, 2019, 2:37pm

I'm sure this is already written somewhere, but I am obviously looking for the wrong words.

I just started using the SIEM in 7.2 and its working pretty good
I am using Filebeat modules for Zeek and Suricata. I want each of them to go into their own index something like filebeat-{MODULE-DATE} but I can't figure out how to do that. I'm assuming there is a module variable set somewhere..
Can this be done with filebeat? Or do i need to pass through a Logstash instance to accomplish this? Is there a list of filebeat system variables?

Thanks

pierhugues · July 25, 2019, 6:11pm

Hello @KWBrandenWagner,

Yes all modules add data to the events and you can use them after to generate the index. If you define the index in the output using the following I believe you will get what you want.

  index: "filebeat-%{[event.module]}-%{+yyyy.MM.dd}"

You might have to check your index pattern in kibana after, to make sure the siem app see the data.

system · August 22, 2019, 6:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.