Index Creation for Fortinet Devices Fail

gisellecarballo · October 8, 2022, 3:54am

Hello Elastic Team,

I would like to ask for help for I my filebeat seems like to fail creating index for my fortinet firewall (I use Fortinet filebeat module). Filebeat version is 7.17.15. However, the fortigate logs falls into index filebeat-*

Filebeat.yml:
output.elasticsearch:
hosts: ["172.30.169.50:9200"]
ssl.verification_mode: "none"
username: "elastic"
password: "m4gN3s1@.123"
indices:
- index: "sdwan-%{+yyyy.MM.dd}"
when.contains:
observer.name: "SDWAN"
- index: "mpls-%{+yyyy.MM.dd}"
when.contains:
host.name: "MPLS"

jsoriano · October 10, 2022, 3:24pm

Hey @gisellecarballo,

Filebeat indexes are managed by default with ILM, to customize their names, you need to disable ILM, or use ILM options.
Take a look here: Configure index lifecycle management | Filebeat Reference [7.17] | Elastic

gisellecarballo · October 20, 2022, 10:19am

Hi @jsoriano ,

It seems like there are fields that able to process by filebeat. when I tried to filter using field event.module instead of observer.name it worked.
Any reason for that ?

Thanks a lot!

Topic		Replies	Views
Filebeat and Fortinet Beats filebeat	2	256	May 30, 2022
Filebeat cannot create custom index - even when ilm is disabled Beats filebeat	15	870	November 30, 2022
Filebeat Index with Module in Name -> Alias and ILM Beats ilm-index-lifecycle-management , filebeat	1	259	October 26, 2022
Filebeat Fortinet module can't run Beats beats-module , filebeat	6	1588	January 21, 2021
Filebeat fortinet module not indexing after upgrading it and kibana to 7.10.0, Beats filebeat	1	367	December 15, 2020

Index Creation for Fortinet Devices Fail

Related topics