Hello all! And sorry for my english...
I have tons of security logs on my elasticsearch. Now I wanna store Windows security logs for 2 weeks, and other (app, system) logs for 3-6 month. So, I think easiest way to do that have 2 types of winlogbeat indices:
So I can simply and quickly delete winlogbeatSEC indices by the script.
How can I divide win logs by "log_name"?
Thanks a lot!
If you are going direct to Elasticsearch you could use the indices config option to control the destination index. See https://www.elastic.co/guide/en/beats/winlogbeat/current/elasticsearch-output.html#_indices
output.elasticsearch:
hosts: ["http://localhost:9200"]
index: "winlogbeat-%{+yyyy.MM.dd}"
indices:
- index: "winlogbeat-security-%{+yyyy.MM.dd}"
when.equals:
log_name: "Security"
I recommend using "winlogbeat-security" over "winlogbeatSEC" because the provided index template and sample dashboards will continue to work because they are all based on a pattern matching winlogbeat-*.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.