While testing Winlogbeat we set the index in the Logstash output but never see it getting passed. Anyone else seeing similar to this?

What I have set in my yml:

Optional index name. The default index name depends on the each beat.

# For Packetbeat, the default is set to packetbeat, for Topbeat
# top topbeat and for Filebeat to filebeat.
index: "testindex"

Sample of my output:
{"message":"The Windows Installer service entered the running state.","@version":"1","@timestamp":"2015-05-15T17:24:00.483Z","beat":{"hostname":"rawill1014","name":"rawill"},"computer_name":"rawill1014.blah.blah.net","count":1,"event_id":7036,"level":"Information","log_name":"System","record_number":"81567","source_name":"Service Control Manager","tags":["winlogbeat","web-tier"],"type":"wineventlog","host":"rawill1014","LS":"LS1-368"}

I this is what I see when I do a file output to see what fields are being passed around.

The @metadata field that contains the index field is only generated by the Logstash output. You won't see it in the file output.

Use this in your Logstash output if you want to view the @metadata contents:

stdout { codec => rubydebug { metadata => true } }

@metadata is always filtered by Logstash outputs.

Reference: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#metadata

Just tried that changed the value in the yml for index to BBBBBBBBB so it would be easy to find. It did not come out like I thought it would instead the value being in tag index it's in tag "beat". So is this the way it's going to work?

"@metadata" => {
"beat" => "BBBBBBBBB",
"type" => "wineventlog"
}

Yes, that is what I expected.

In your LS config you would use something like:

  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }

Reference: Get started with Beats | Beats Platform Reference [8.11] | Elastic