@metadata.beats not sending data to filebeat index

New to Elastic.

When I am trying to output filebeat log file thru logstash with the following config:

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

Indexes are being created called "%{[metadata][beat]}-2017.05.11" rather than "filebeat-2017.05.11".

Winlogbeat seems to work as expected using the @metadata.beat value.

Any direction on how to correct this? I would like indexes populated dynamically by the respective beats module.

input {
beats {
port => "5044"
}
}
filter {
if [type] == "log" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:eventtime} %{WORD:action} %{WORD:protocol} %{IP:source_ip} %{IP:destination_ip} %{USERNAME:src-port} %{USERNAME:dst-port} %{USERNAME:size} %{USERNAME:tcpflags} %{USERNAME:tcpsyn} %{USERNAME:tcpack} %{USERNAME:tcpwin} %{USERNAME:icmptype} %{USERNAME:icmpcode} %{USERNAME:info} %{WORD:direction}" }
}
mutate {
remove_field => [ "message","icmpcode","icmptype","size","tcpack","tcpflags","tcpsyn","tcpwin" ]
}
date {
match => ["eventtime","yyyy-MM-dd HH:mm:ss"]
}
}
}
output {
stdout { codec => rubydebug {metadata => true } }
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

What does stdout { codec => rubydebug {metadata => true } } produce? is there a [@metadata][beat] field present there for Filebeat events?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.