How to create an index for Windows Log Event?

eso · March 7, 2016, 7:31pm

I have a Winlogbeat set up, and I want to set an explicit index for it as follows:

output {

 elasticsearch {

     if [type] == "wineventlog" {

         hosts => ["localhost:9200"]
         index => "winlogbeat"
    }
}

}

A parser error occurs. When I removed "if" statement, the parser is happy. Can you tell me what is wrong with it. I want an index for each data source (one for winlogbeat and the other topbeat).

Thanks,
Edison

Muaaz_Saleem · March 7, 2016, 8:55pm

Hi Edison,
Conditionals can't be nested into other filters. But I think you could do sth like this for your use case. I've used this with Filebeat.

output {
 elasticsearch  {
   hosts => ["localhost:9200"]
   index => "%{[@metadata][beat]}"
 }
}

eso · March 7, 2016, 9:42pm

Hello,

Thank you for the reply.

According to the JSON output for winlogevent beat, [beat] has two fields: hostname and name as follows:

beat {
“hostname” => “xxx”
“name” => “xxx”
}

I don’t know how to get rid of one of them because of identical information. Also, the output does not contain [@metadata]; so it does not really help me at all. What is @metadata? What value does it contain?

Right now, I am using:

Index => “%{type}”

where “type” has the value “winlogevent”. At least, the documents for Windows Log Events are being indexed uniquely to a single index value. But, I really want the index value to be “winlogbeat”, and I cannot hard-code it because not all documents are Windows events. If I add TopBeat, this hard-coded index will contain both documents from winlogbeat and topbeat. Too bad that conditionals in Elasticsearch filter is not supported anymore.

Any other suggestion.

Edison

Muaaz_Saleem · March 8, 2016, 6:07am

Hi,

There are a couple ways to go about this. You could put the elasticsearch filter inside the conditional:

if [type] == "wineventlog" {
        elasticsearch {
         hosts => ["localhost:9200"]
         index => "winlogbeat"
    }
}

Alternatively use @metadata. From what I know, you can think of @metadata as logstash output. It has all the info the previous filters applied. [@metadata][beat] gives us the name of the beat we're using. In your case that's Winlogbeat.

magnusbaeck · March 8, 2016, 6:45am

I don’t know how to get rid of one of them because of identical information.

Use the mutate filter's remove_field option.

Also, the output does not contain [@metadata]; so it does not really help me at all. What is @metadata? What value does it contain?

That field contains additional metadata about events that's normally ignored by outputs. See Metadata use cases in Logstash 1.5 | Elastic Blog and Accessing event data and fields | Logstash Reference [8.11] | Elastic.

Too bad that conditionals in Elasticsearch filter is not supported anymore.

Anymore? Conditionals inside plugin declarations have never been supported.

Topic		Replies	Views
Winlogbeat via Logstash into Elasticsearch Logstash	18	7717	July 22, 2017
Help: Only winlogbeat index with date being created Elasticsearch	3	276	April 19, 2022
Using both Filebeat and Winlogbeat Beats filebeat	3	4511	November 8, 2017
Winlogbeat logs filtering in Logstash for storage management and relevant info to elastic Logstash windows	4	1160	September 22, 2021
Separate Index Pattern for each Windows Log Beats winlogbeat	2	524	April 25, 2018

How to create an index for Windows Log Event?

Related topics