Filebeat puts all logs in only one index

I have server with nginx running on. I'm trying to make filebeat installed on this server to send logs to elasticsearch directly. It sends logs, but however puts in "common" index filebeat-7.9.3-2020.11.04-000001

Here is filebeat config:

    filebeat.config:
      modules:
        path: ${path.config}/modules.d/*.yml
        reload.enabled: false
    filebeat.modules:
    - module: nginx
      access:
        enabled: true
        var.paths: ["/var/log/nginx/access.log*"]
      error:
        enabled: true
        var.paths: ["/var/log/nginx/error.log*"]
      ingress_controller:
        enabled: false

    output.elasticsearch:
      hosts: "my-ELK-server"
      index: "nginx-%{+yyyy.MM.dd}"
    setup.template.pattern: "nginx-*"
    setup.template.name: "nginx"
    setup.template.settings:
      index.number_of_replicas: 0

Filebeat also created pipeling in ingest node, but still doesn't put this log in special index.
What should I configure to achieve this?

Since I have lack of experience in Elastic Stack, maybe I misunderstood - where should be definition of special index creation?

1. In filebeat.yml config?
2. In Ingest node pipeline?
3. Do I need to create Index template for it?

Hey @yukpun welcome to discuss

What you see is the default and recommended behaviour. Indexes are managed by ILM and they are rotated every month or every 50GB, whatever happens first. This configuration should be ok for most of the cases. In any case, it can be customized using the ILM API, or the Kibana management UI.

If for some reason, you need to change the index name, or you want to disable ILM and manage index configuration yourself, take a look to the ILM docs for filebeat: https://www.elastic.co/guide/en/beats/filebeat/7.9/ilm.html

THanks, this helped. I disabled ILM and now I have that indexes what I want.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.