Filebeat Index with Module in Name -> Alias and ILM

BoKu · September 28, 2022, 9:50am

Hello there,

i do have the following situation. I run Filebeat on an dedicated server for the panw-Module, with a dedicated Port. Our Paloalto Firewall is shipping the logs via syslog to the filebeat-server.
If i run filebeat on that server with the default configuration, the indexname, aliases and ILM is working fine. But when i add the following to the "output.elasticsearch":

indices:
    - index: "filebeat-%{[event.module]}-%{+yyyy.MM.dd}"
      when.has_fields: ['event.module']

I get an index called: "filebeat-panw-2022.09.28, without an alias an ergo i am unable to assign an ILM-Policy

What do i have to do to setup a dedicated index for the paloalto firewall with a dedicated ILM-Policy?

Thanks in advance!

Greets
Boris

system · October 26, 2022, 9:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Index name for modules Beats filebeat	4	1359	September 11, 2019
How to add an alias to index by using filebeat? Beats ilm-index-lifecycle-management , filebeat	2	1134	August 1, 2022
Dynamic Beat Index with ILM Beats ilm-index-lifecycle-management , beats-module , filebeat	3	323	September 27, 2021
Filebeat, ILM and multiple indices Beats filebeat	7	3360	March 29, 2020
Filebeat creates wrong index name Beats ilm-index-lifecycle-management , filebeat	4	1360	January 16, 2020

Filebeat Index with Module in Name -> Alias and ILM

Related topics