Logstash / problem with windows index

secsec · November 20, 2023, 3:17pm

Hello,

could you please help me?

Im using Elastic version 8.11.1

Im trying to create new 2 indexes for windows and linux.

This code below is working for linux (it is automaticaly creating indexes every day), but it is not creating indexes for windows. I can see logs via under analytics > discover for windows.

it is windows 10 machine

output {
    if [host][os][type] == "windows" {
        elasticsearch {
            hosts => ["https://localhost:9200"]
            ssl_certificate_authorities => ["/etc/logstash/http_ca.crt"]
            user => 'elastic'
            password => 'somepassword'
            manage_template => false
            index => "windows-%{[host][name]}-%{+YYYY.MM.dd}"
        }
    } else if [host][os][type] == "linux" {
        elasticsearch {
            hosts => ["https://localhost:9200"]
            ssl_certificate_authorities => ["/etc/logstash/http_ca.crt"]
            user => 'elastic'
            password => 'somepassword'
            manage_template => false
            index => "linux-%{[host][name]}-%{+YYYY.MM.dd}"
        }
    } else if [@metadata][pipeline] {
        elasticsearch {
            user => 'elastic'
            password => 'somepassword'
            hosts => ["https://localhost:9200"]
            ssl_certificate_authorities => ["/etc/logstash/http_ca.crt"]
            manage_template => false
            index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
            pipeline => "%{[@metadata][pipeline]}"
        }
    } else {
        elasticsearch {
            hosts => ["https://localhost:9200"]
            user => 'elastic'
            password => 'somepassword'
            ssl_certificate_authorities => ["/etc/logstash/http_ca.crt"]
            manage_template => false
            index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
        }
    }
}

many thanks

Martin

Rios · November 20, 2023, 5:04pm

Can you check what is [host][os][type] for windows, is the value windows correct?
Use rubydebug to find which values are in runtime.

secsec · November 21, 2023, 11:59am

Hello,

thanks for reply,

correction: sorry this is Windows server 2019 not WIN10

this is the value, that im using in logstash

I tried to bounded with different parameter such as host.os.platform or host.os.family but no luck

secsec · November 22, 2023, 4:15pm

Hello,

my bad, actually logs are NOT going to filebeat and then to logstash it means that creating new index for windows and new index for linux needed to be create via elasticsearch?

thanks

Rios · November 23, 2023, 3:35am

Indices will be created automatically if IF condition is true. If there is no logs in LS, no indices in ES.

system · December 21, 2023, 3:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.