To whom it may concern,
Background: Currently in our windows servers we have different applications that belong to different clients. Therefore, we want to create different indexes with different ILM policies since each client will have different retention times and policies. Therefore, it is essential that each client can have its own policies.
Problem statement: We have proposed a simple architecture, through which Filebeat is directly ingested in Elastic (Elastic Cloud), without going through Logstash. However, we have encountered the following problem: in Filebeat we can configure different patterns for the index, but it is only possible to configure an index template, and therefore, it is only possible to associate an ILM policy to this index template. The problem is that we cannot associate several index templates, one for each client on a single Filebeat configuration.
Possible solution: After researching, I read that there would be no problem in having different instances of Filebeat on Windows. This way, each Filebeat instance would manage the logs of each client. The problem with this solution is scalability; it is not sustainable or maintainable to have 10 or 15 Filebeat instances, as the operation would not be efficient.
Any solutions? I think the only solution is to include Logstash in the equation: send everything from Filebeat to Logstash, and manage the creation of indexes, index templates and ILM policies in Logstash.