How to separate Winlogbeat logs to different ES indexes

ufomen · January 13, 2017, 2:20pm

Hello all! And sorry for my english...

I have tons of security logs on my elasticsearch. Now I wanna store Windows security logs for 2 weeks, and other (app, system) logs for 3-6 month. So, I think easiest way to do that have 2 types of winlogbeat indices:

winlogbeatSEC-2017.01.11 for security logs ,
winlogbeat-2017.01.11 for other Windows logs.

So I can simply and quickly delete winlogbeatSEC indices by the script.

How can I divide win logs by "log_name"?

Thanks a lot!

magnusbaeck · January 13, 2017, 2:28pm

andrewkroh · January 13, 2017, 8:59pm

If you are going direct to Elasticsearch you could use the indices config option to control the destination index. See https://www.elastic.co/guide/en/beats/winlogbeat/current/elasticsearch-output.html#_indices

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  index: "winlogbeat-%{+yyyy.MM.dd}"
  indices:
    - index: "winlogbeat-security-%{+yyyy.MM.dd}"
      when.equals:
        log_name: "Security"

I recommend using "winlogbeat-security" over "winlogbeatSEC" because the provided index template and sample dashboards will continue to work because they are all based on a pattern matching winlogbeat-*.

system · February 10, 2017, 8:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Separate Index Pattern for each Windows Log Beats winlogbeat	2	524	April 25, 2018
Splitting up winlogbeat Elasticsearch	1	648	September 1, 2018
Split up indices based on? tags? Logstash	2	4195	November 17, 2017
Log archiving - Difference between ES vs LS Beats winlogbeat	5	830	December 28, 2017
Outputting logs to specific index depending on log_name Logstash	1	488	January 5, 2019

How to separate Winlogbeat logs to different ES indexes

Related topics