I've been doing some searching and tried a few things already, even tried to create a new template (but failed) ... not even sure that is what is required.
Outline:
5 production servers using IIS
3 dev servers using IIS
Want to send IIS logs to ES for each, but with different index names.
Example:
WebServer1 : "WS1-iis-%{[beat.version]}{+yyyy.MM.dd}"
Webserver 2: WS2...
etc
Using Filebeats 7, ES 7, Kibana 7, and have logstash installed but not in use
Also using the iis module within Filebeats.
All the indicies are Filebeats-7.x.x.x-date.xxxxx
As an example, here is the filebeats.yml file on one of the servers.
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
enabled: false
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
#============================= Filebeat modules ===============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: true
# Period on which files under path should be checked for changes
#reload.period: 10s
#==================== Elasticsearch template setting ==========================
setup.template.settings:
setup.template.enabled: true
setup.template.fields: "${path.config}/fields.yml"
setup.template.name: "bt1-iis-%{[beat.version]}"
setup.template.pattern: "bt1-iis-%{[beat.version]}-*"
setup.template.overwrite: true
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
#setup.dashboards.enabled: false
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "10.x.x.x:5601"
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.x.x.x:9200"]
protocol: http
index: "bt1-iis-%{[beat.version]}{+yyyy.MM.dd}"
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
In addition, I added the following template and thought it would maybe make it work
{
"index_patterns": [
"bt1-*"
],
"mappings": {
"_meta": {
"beat": "bt1",
"version": "7.0.1"
},
"date_detection": false,
"dynamic_templates": [
{
"labels": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "labels.*"
}
},
{
"container.labels": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "container.labels.*"
.....
order": 1,
"settings": {
"index": {
"lifecycle": {
"name": "bt1-7.0.1",
"rollover_alias": "bt1-7.0.1"
},
"mapping": {
"total_fields": {
"limit": 10000
}
},
"number_of_routing_shards": 30,
Running in Kibanna
GET /_template/bt*
Displays it.
However deleting the Filebeat-* index file and restarting the service did not work
YAML is indentation sensitive and it looks like the indentation for the index line might be off.
Well I still have no clue what I am doing; but I think with these IIS logs I am close.
In Kibana I see:
Index Pattern: filebeat-*
I have two IIS servers logging to it.
When I started the first instance of filebeat, the following was created:
filebeat-7.0.1-2019.05.16-000001
Followed by that server which if filebeat-7.0.1-bt1-iis-2019.05.16
When I turned on the next server with IIS
filebeat-7.0.1-ws1-iis-2019.05.16 was created
After some time, I see
2 indices have lifecycle errors; ilm.step:ERROR
I suspect I will see 3 once the next one catches up.
The lifecycle policies are filebeat-7.0.1 with 3 linked Indices
I looked at one of these :
Index lifecycle error
illegal_argument_exception: index.lifecycle.rollover_alias [filebeat-7.0.1*] does not point to index [filebeat-7.0.1-bt1-iis-2019.05.16]
I went to edit settings on this one in Kibana and changed the line;
"index.lifecycle.rollover_alias": "filebeat-7.0.1", to "index.lifecycle.rollover_alias": "filebeat-7.0.1*",
Thinking maybe that would work.
This was done on all of the indices created.
This is part of the second filebeat entry, the other is identical with minor changes.
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: true
# Period on which files under path should be checked for changes
reload.period: 20s
#==================== Elasticsearch template setting ==========================
setup.template.name: "filebeat-%{[agent.version]}-ws1-iis"
setup.template.pattern: "filebeat-%{[agent.version]}-ws1-iis-*"
setup.template.fields: "fields.yml"
setup.template.overwrite: false
setup.template.settings:
index.number_of_shards: 1
index.codec: best_compression
#_source.enabled: false
setup.dashboards:
index: "filebeat-%{[agent.version]}-ws1-iis-*"
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.x.x.x:9200"]
indices:
- index: "filebeat-%{[agent.version]}-ws1-iis-%{+yyyy.MM.dd}"
when.equals:
event.module: "iis"
Spinning wheels go round round!
Index lifecycle error
illegal_argument_exception: index.lifecycle.rollover_alias [filebeat*] does not point to index [filebeat-7.0.1-ws1-iis-2019.05.22-000001]
I am not having luck getting rid of any message like the one above. I've tried various things. Where do I add this ... modify the template? What information do I need to provide for help on this?