Index Management CISCO ASA device

Hello,

I have a centralized ELK server, where data is getting shipped via winlogbeat and filebeat installed on client machines. Now I am trying to route cisco-asa devices logs to this server. Upto some extent I am bit successful in getting the data, but facing issue to create a new index pattern for it via logstash configuration. Please check below configuration and help me in fixing it (below config is not working):

Just to make it more clear,
when I get data from winlogbeat and filebeat, I get indexes in winlogbeat-* filebeat-* format.
I want the same kind of format for firewall logs, but instead I am getting them in
%{[@metadata][beat]}-* format. I want it to achieve in firewall-* format.

input.conf


input {
beats {
port => 6099
}

udp {
port => 5000
type => "cisco-asa"
}

}


output.conf


output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false

if [type] == "cisco-asa" {
index => "firewall-%{+YYYY.MM.dd}" }

if [type] != "cisco-asa" {
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" }

           }

stdout {
codec => rubydebug
}
}


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.