Set Index pattern name in Kibana by auditbeat setup

Elastic Stack Beats
1

For kibana setup from audit beat:
(In the both verision I am discribing below, I am using the parameter setup.dashboard.index from "./auditbeat setup" command to set the index-pattern title )

in Version 6.7, I was able to set the index-pattern title by setting the parameter "setup.dashboards.index" and the value of that attribute was used as the title of the index-pattern in Kibana.

But this is not working anymore in version 7.1.1 Elastic Stack. You can set the auditbeat setup parameter "setup.dashboards.index" to whatever you want, but it takes the default value "auditbeat-*" as index pattern.

Is this maybe a bug? or am I just missing something.

Thank for helping.
Mathew

2

hi @thekm1, starting with 7.0, auditbeat will use index lifecycle management by default when it connects to a cluster that supports lifecycle management and will load the default policy automatically which will apply to any indices created by auditbeat (https://www.elastic.co/guide/en/beats/auditbeat/current/ilm.html).
If you set setup.ilm.enabled to false and retry your current setup do you see any results? If not, can you provide us with the content of the auditbeat.yml file?

3

Hi @MarianaD
Thank you for your response.

I tried this as well
My command looks like this:

./auditbeat setup -E 'setup.dashboards.index="myname-*"' -E 'setup.dashboards.enabled=true' -E 'setup.ilm.enabled=false'

But this also results in the same indexpattern name, which is auditbeat-*
This is my auditbeat.yml file does not contain any big changes:

auditbeat.modules:

  • module: file_integrity
    paths:

    • /bin
    • /usr/bin
    • /usr/local/bin
    • /sbin
    • /usr/sbin
    • /usr/local/sbin

  • module: system
    datasets:

    • host # General host information, e.g. uptime, IPs
    • package # Installed, updated, and removed packages
    • process # Started and stopped processes

    state.period: 12h

setup.template.settings:
index.number_of_shards: 1

setup.kibana:
host: "localhost:5601"

output.elasticsearch:
hosts: ["localhost:9200"]

processors:

  • add_host_metadata: ~
  • add_cloud_metadata: ~

Even if I enabled the ilm, I don't see a possibility to set the index-pattern name from the auditbeat config.

Thank you a lot for your effort.

4

Hi @thekm1 - I was able to reproduce the problem. It's indeed a bug and I put up a fix for it. Should work again soon. Thanks for reporting it!

In the meantime, I'm afraid there might not be much else you can do except replace the index pattern name manually. :frowning:

1 Like
5

Hi @cwurm
Thank you for the fix.

Yes, we think as well, that the workaround is creating or renaming it.

Thank you for the quick reaction of this issue. :grin:

6

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.