We are in process of standardising index names to ensure permissions are given correctly
(eg my_os_windows_yyyy-mm-dd, my_os_linux_yyyy-mm-dd, my_network_cisco_yyyy-mm-dd etc..) rather than the default "filebeat*" format. This way we can control which index and data and roles/permissions/index patterns etc.
I understand how to put the output settings if I'm developing my on logstash.conf I know how to ensure it goes into correct index.
But if I'm using the inbuilt modules (eg system or audit modules) within filebeat, how would I configure the outputs? The only area I could find is to put "output.elasticsearch" in the main filebeat.yml, but that is not good as you have single index name there? So is there any way, we can put this setting in the module.d itself or an outputs.d folder?
I'm planning to send data from
client => filebeats => logstash => elasticsearch
So how can I make sure it goes into my own index rather than the hardcoded filebeat* nidex?
If you are planning to send data to Elasticsearch directly you can set the index dynamically by using a format string to access any event. For instance:
But I thought %{[fields.log_type]}% parameter is just the log severity? I was looking for something at a type-of-data level, like "audit" or "security" "operating" system etc which I can configure based on the data or user custom.
Also where do you update this (as per doc this in the filebeat.yml)? But filebeat.yml is common to entire dataset of the filebeat I thought
I was looking to configure them at the module level, so the data output is configured within the module (and not at the entire filebeat installation level)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.