Rename the WinlogBeat index

Adren · February 13, 2018, 9:32am

Hello,

I installed and configured winlogbeat to send his logs to logstash and it's successful. My question is, now, I want to change the name of the index in kibana, all I see is this by example:

The index I pointed out in the screen is the logs from winlogbeat, but how do you change the name of the index ? I want "Winlogbeat-2018-02-13" for example.

I tried to put these lines to the configuration file from Winlogbeat but it's not a success
winlogbeat.event_logs:
- name: Security
ignore_older: 168h

output.logstash:
  hosts: ["localhost:5044"]

setup.template.name: "winlogbeat-%{[beat.version]}"
setup.template.pattern: "winlogbeat-%{[beat.version]}-*"

adrisr · February 13, 2018, 10:05am

Hi,

As you're using logstash to send the events to elasticsearch, the index name must be configured in logstash and not filebeat.

You need to add the following lines to your logstash configuration:

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" 
  }
}

Have a look at the logstash output configuration docs

Adren · February 13, 2018, 10:10am

Thanks a lot, it's working !

Regards.

PandKing · February 28, 2018, 4:22pm

So is the current Logstash beats input documentation incompatible with the current beats documentation and default setup?

Also haven't seen anything yet that speaks to the purpose of the version in the index, does anyone have ref material?

https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html
https://www.elastic.co/guide/en/beats/winlogbeat/current/logstash-output.html

Thanks

adrisr · February 28, 2018, 7:31pm

Thanks for bringing up this inconsistency between beats and logstash docs, we'll fix it.

About the version being included in the index name, it helps to ensure the index always has the correct index template applied to it. It makes the update process easier and also allows to run different versions of the same beat at the same time. See the pull request that introduced it.

PandKing · March 2, 2018, 5:48am

Thanks for the quick turnaround! I see the docs have been updated.

ALSO: The winlogbeat documentation references unix pathnames

https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-path.html

system · March 30, 2018, 5:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.