How to separate Winlogbeat logs to different ES indexes

Hello all! And sorry for my english...

I have tons of security logs on my elasticsearch. Now I wanna store Windows security logs for 2 weeks, and other (app, system) logs for 3-6 month. So, I think easiest way to do that have 2 types of winlogbeat indices:

  • winlogbeatSEC-2017.01.11 for security logs ,
  • winlogbeat-2017.01.11 for other Windows logs.

So I can simply and quickly delete winlogbeatSEC indices by the script.

How can I divide win logs by "log_name"?

Thanks a lot!

1 Like

If you are going direct to Elasticsearch you could use the indices config option to control the destination index. See

  hosts: ["http://localhost:9200"]
  index: "winlogbeat-%{+yyyy.MM.dd}"
    - index: "winlogbeat-security-%{+yyyy.MM.dd}"
        log_name: "Security"

I recommend using "winlogbeat-security" over "winlogbeatSEC" because the provided index template and sample dashboards will continue to work because they are all based on a pattern matching winlogbeat-*.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.