Hello there,
i do have the following situation. I run Filebeat on an dedicated server for the panw-Module, with a dedicated Port. Our Paloalto Firewall is shipping the logs via syslog to the filebeat-server.
If i run filebeat on that server with the default configuration, the indexname, aliases and ILM is working fine. But when i add the following to the "output.elasticsearch":
indices:
- index: "filebeat-%{[event.module]}-%{+yyyy.MM.dd}"
when.has_fields: ['event.module']
I get an index called: "filebeat-panw-2022.09.28, without an alias an ergo i am unable to assign an ILM-Policy
What do i have to do to setup a dedicated index for the paloalto firewall with a dedicated ILM-Policy?
Thanks in advance!
Greets
Boris