Hello,
I have a centralized ELK server, where data is getting shipped via winlogbeat and filebeat installed on client machines. Now I am trying to route cisco-asa devices logs to this server. Upto some extent I am bit successful in getting the data, but facing issue to create a new index pattern for it via logstash configuration. Please check below configuration and help me in fixing it (below config is not working):
Just to make it more clear,
when I get data from winlogbeat and filebeat, I get indexes in winlogbeat-* filebeat-* format.
I want the same kind of format for firewall logs, but instead I am getting them in
%{[@metadata][beat]}-* format. I want it to achieve in firewall-* format.
input.conf
input {
beats {
port => 6099
}
udp {
port => 5000
type => "cisco-asa"
}
}
output.conf
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
if [type] == "cisco-asa" {
index => "firewall-%{+YYYY.MM.dd}" }
if [type] != "cisco-asa" {
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" }
}
stdout {
codec => rubydebug
}
}