How to separate Winlogbeat logs to different ES indexes


(Alexey Kukin) #1

Hello all! And sorry for my english...

I have tons of security logs on my elasticsearch. Now I wanna store Windows security logs for 2 weeks, and other (app, system) logs for 3-6 month. So, I think easiest way to do that have 2 types of winlogbeat indices:

  • winlogbeatSEC-2017.01.11 for security logs ,
  • winlogbeat-2017.01.11 for other Windows logs.

So I can simply and quickly delete winlogbeatSEC indices by the script.

How can I divide win logs by "log_name"?

Thanks a lot!


Splitting up winlogbeat
(Magnus B├Ąck) #2

(Andrew Kroh) #3

If you are going direct to Elasticsearch you could use the indices config option to control the destination index. See https://www.elastic.co/guide/en/beats/winlogbeat/current/elasticsearch-output.html#_indices

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  index: "winlogbeat-%{+yyyy.MM.dd}"
  indices:
    - index: "winlogbeat-security-%{+yyyy.MM.dd}"
      when.equals:
        log_name: "Security"

I recommend using "winlogbeat-security" over "winlogbeatSEC" because the provided index template and sample dashboards will continue to work because they are all based on a pattern matching winlogbeat-*.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.