Hey there,
I'd like to collect logs on a device with different modules and send them to different indices.
The question itself is answered in:
Though, as far as I understand, this only works when ILM is disabled. Yet, I would like to keep ILM enabled on filebeat, to have the possibility to apply changes to the default index without touching/updating every device.
Now let's say I want syslog module logs in syslog index and nginx logs in ILM default index, e.g. filebeat-XYZ.
This is no problem for self defined inputs, yet, I can't figure out how to send logs collected by modules to different indices with ILM enabled.
Thanks and best regards,
Niklas