Help: Only winlogbeat index with date being created

Elastic Stack Elasticsearch
1

This is my current output:

output {

        if [type]=="syslog" {
                elasticsearch {
                hosts => ["localhost:9200"]
                index => "logstash-%{+yyyy.MM.dd}"
                }
        stdout { codec => rubydebug }
        file { path => "/etc/logstash/logstash-data/%{logstash}.%{+YYYY.MM.dd}" }
        }

        if [type]=="winlogbeat" {
                elasticsearch {
                hosts => ["localhost:9200"]
                index => "winlogbeat-%{+yyyy.MM.dd}"
                }
        stdout { codec => rubydebug }
        file { path => "/etc/logstash/logstash-data/%{winlogbeat}.%{+YYYY.MM.dd}" }
        }
}

However I am creating a winlogbeat-2022.03.21 index and a logstash index. In other words, only the winlogbeat index has the date. Can anyone tell me why or show me how to fix this?

Also this is my current date field in my filter:

date {
            match => [ "[sslvpn][time]", "yyyy-MM-dd HH:mm:ss" ]
            target => "@timestamp"
    }

But unsure what else to add. I understand that winlogbeat might have the built-in yyyy.MM.dd format, but SSLVPN/Logstash may need to be filtered/created on its own.

2

Shouldnt your second "if" needs to be "else if" ?

3

Not 100% sure but my winlogbeat seems to be working as intended just with the "if".

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.