New to Elastic.
When I am trying to output filebeat log file thru logstash with the following config:
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
Indexes are being created called "%{[metadata][beat]}-2017.05.11" rather than "filebeat-2017.05.11".
Winlogbeat seems to work as expected using the @metadata.beat value.
Any direction on how to correct this? I would like indexes populated dynamically by the respective beats module.
input {
beats {
port => "5044"
}
}
filter {
if [type] == "log" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:eventtime} %{WORD:action} %{WORD:protocol} %{IP:source_ip} %{IP:destination_ip} %{USERNAME:src-port} %{USERNAME:dst-port} %{USERNAME:size} %{USERNAME:tcpflags} %{USERNAME:tcpsyn} %{USERNAME:tcpack} %{USERNAME:tcpwin} %{USERNAME:icmptype} %{USERNAME:icmpcode} %{USERNAME:info} %{WORD:direction}" }
}
mutate {
remove_field => [ "message","icmpcode","icmptype","size","tcpack","tcpflags","tcpsyn","tcpwin" ]
}
date {
match => ["eventtime","yyyy-MM-dd HH:mm:ss"]
}
}
}
output {
stdout { codec => rubydebug {metadata => true } }
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}