Index Creation for Fortinet Devices Fail

Hello Elastic Team,

I would like to ask for help for I my filebeat seems like to fail creating index for my fortinet firewall (I use Fortinet filebeat module). Filebeat version is 7.17.15. However, the fortigate logs falls into index filebeat-*

Filebeat.yml:
output.elasticsearch:
hosts: ["172.30.169.50:9200"]
ssl.verification_mode: "none"
username: "elastic"
password: "m4gN3s1@.123"
indices:
- index: "sdwan-%{+yyyy.MM.dd}"
when.contains:
observer.name: "SDWAN"
- index: "mpls-%{+yyyy.MM.dd}"
when.contains:
host.name: "MPLS"

Hey @gisellecarballo,

Filebeat indexes are managed by default with ILM, to customize their names, you need to disable ILM, or use ILM options.
Take a look here: Configure index lifecycle management | Filebeat Reference [7.17] | Elastic

Hi @jsoriano ,

It seems like there are fields that able to process by filebeat. when I tried to filter using field event.module instead of observer.name it worked.
Any reason for that ?

Thanks a lot!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.