I want to change default filebeat-* index name to zeek-* with the same fields as configured in the zeek.yml, Until now I have changed
'''
hosts: ["localhost:9200"]
protocol: "http"
index: "zeek-%{+yyyy.MM.dd}"
setup.template:
name: 'zeek- '
pattern: 'zeek- '
enabled: true
setup.template:
name: 'zeek- '
pattern: 'zeek- '
enabled: true
setup.ilm.enabled: false
'''
but still getting all the fields in filebeat-* index instead of zeek-* index, any help is appreciable.
Hi @sana1 
Can you paste the entire config file with proper markdown formatting, please? It's often an error in the YAML indentation
https://www.elastic.co/guide/en/beats/filebeat/7.7/elasticsearch-output.html
filebeat.inputs:
- type: log
enabled: false
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
reload.period: 10s
setup.template.name: "zeek-*"
setup.template.fields: "fields.yml"
setup.template.overwrite: false
setup.template.settings:
index.number_of_shards: 1
index.number_of_replicas: 1
setup.dashboards:
index: "zeek-*"
setup.kibana:
# Kibana Host
setup.ilm.enabled: false
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
hosts: ["localhost:9200"]
indices:
- index: "zeek-%{+yyyy.MM.dd}"
This is my code with zeek module enabled, still get no fields in zeek-* index
It is a bit confusing here since you are configuring zeek.yml, but I would think you need to have those inside of filebeat.yml.
Alternatively if you have set filebeat to communicate with elasticsearch through logstash then you may want to put that in the output.elasticsearch.index field of logstash/conf.d/{config-file-name}.conf
like this
output {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
# index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
index => "zeek-%{+YYYY.MM.dd}"
}
}
The commented line is actually the one that created the filebeat-* pattern.
Remember restarting logstash if you set this in logstash or restart filebeat service if you set this inside filebeat.
You will also need to add the index pattern to logstash.
However above all, providing details about your setup will be more helpful to those who may want to provide a hand
You can also look at the logs to check if anything is being logged there.
Goodluck
I am using filebeat and elasticsearch , no logstash is being use. Using default setting of zeek module of Elasticsearch siem, i am able to get all 2550 fields of zeek with filebeat-* index, but I want all the json fields in zeek-* index. with the above mentioned settings I am able to get zeek-* index but with 69 system fields only. This is the problem.
Can you try removing the indices key here?
output.elasticsearch:
hosts: ["localhost:9200"]
index: "zeek-%{+yyyy.MM.dd}"
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.