Help: Only winlogbeat index with date being created

roman-tasi · March 22, 2022, 7:43am

This is my current output:

output {

        if [type]=="syslog" {
                elasticsearch {
                hosts => ["localhost:9200"]
                index => "logstash-%{+yyyy.MM.dd}"
                }
        stdout { codec => rubydebug }
        file { path => "/etc/logstash/logstash-data/%{logstash}.%{+YYYY.MM.dd}" }
        }

        if [type]=="winlogbeat" {
                elasticsearch {
                hosts => ["localhost:9200"]
                index => "winlogbeat-%{+yyyy.MM.dd}"
                }
        stdout { codec => rubydebug }
        file { path => "/etc/logstash/logstash-data/%{winlogbeat}.%{+YYYY.MM.dd}" }
        }
}

However I am creating a winlogbeat-2022.03.21 index and a logstash index. In other words, only the winlogbeat index has the date. Can anyone tell me why or show me how to fix this?

Also this is my current date field in my filter:

date {
            match => [ "[sslvpn][time]", "yyyy-MM-dd HH:mm:ss" ]
            target => "@timestamp"
    }

But unsure what else to add. I understand that winlogbeat might have the built-in yyyy.MM.dd format, but SSLVPN/Logstash may need to be filtered/created on its own.

FALEN · March 22, 2022, 8:15am

Shouldnt your second "if" needs to be "else if" ?

roman-tasi · March 22, 2022, 8:17am

Not 100% sure but my winlogbeat seems to be working as intended just with the "if".

system · April 19, 2022, 8:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.