Hello everyone.
I am trying to create automation rollup system to archive and delete checkpoint firewall logs based on conditions.
The problem I face is not being able to automate my filebeat to write to the new created index (after rollover).
Example to make things clear:
I have index: checkpoint-000001
When it reaches 30mb of data (for testing purpose) it creates new index: checkpoint-000002 but my filebeat is still writing to the first one. When the delete action occurs, it renews the index from scratch.
I can't seem to find a way to automate things on config standpoint. Hope I was clear and thank you in advance. 