Index Creation for Fortinet Devices Fail

gisellecarballo · October 8, 2022, 3:54am

Hello Elastic Team,

I would like to ask for help for I my filebeat seems like to fail creating index for my fortinet firewall (I use Fortinet filebeat module). Filebeat version is 7.17.15. However, the fortigate logs falls into index filebeat-*

Filebeat.yml:
output.elasticsearch:
hosts: ["172.30.169.50:9200"]
ssl.verification_mode: "none"
username: "elastic"
password: "m4gN3s1@.123"
indices:
- index: "sdwan-%{+yyyy.MM.dd}"
when.contains:
observer.name: "SDWAN"
- index: "mpls-%{+yyyy.MM.dd}"
when.contains:
host.name: "MPLS"

jsoriano · October 10, 2022, 3:24pm

Hey @gisellecarballo,

Filebeat indexes are managed by default with ILM, to customize their names, you need to disable ILM, or use ILM options.
Take a look here: Configure index lifecycle management | Filebeat Reference [7.17] | Elastic

gisellecarballo · October 20, 2022, 10:19am

Hi @jsoriano ,

It seems like there are fields that able to process by filebeat. when I tried to filter using field event.module instead of observer.name it worked.
Any reason for that ?

Thanks a lot!

system · November 17, 2022, 12:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What i do in this situation? Beats filebeat	2	206	October 5, 2022
Filebeat not sending logs to elastic from fortinet module Beats filebeat	2	366	December 1, 2020
Filebeat cannot create custom index - even when ilm is disabled Beats filebeat	15	645	November 30, 2022
Filebeat fortinet module not indexing after upgrading it and kibana to 7.10.0, Beats filebeat	1	348	December 15, 2020
Filebeat and Fortinet Beats filebeat	2	237	May 30, 2022

Index Creation for Fortinet Devices Fail

Related topics