Splitting up winlogbeat

I think i have to split up my index, because i was seeing errors about there being too many fields. I was collecting all of security, system, application, and a bunch of other windows logs into a single index, and i think the fields was well over 1000.

@andrewkroh your solution to topic:How to separate Winlogbeat logs to different ES indexes . was excellent and got me started, however i have a following issue now.

Here is my winlogbeat.yml regarding output.elasticsearch

  #Array of hosts to connect to.
  hosts: ["IP:9200"]
    - index: "winlogbeat-security-%{[beat.version]}-%{+yyyy.MM.dd}"
        log_name: "Security"
    - index: "winlogbeat-application-%{[beat.version]}-%{+yyyy.MM.dd}"
        log_name: "Application"
    - index: "winlogbeat-system-%{[beat.version]}-%{+yyyy.MM.dd}"
        log_name: "System"

In Kibana i have setup index patterns for;

  • winlogbeat-* (i need this one to catch everything other than the below)
  • winlogbeat-security-*
  • winlogbeat-application-*
  • winlogbeat-system-*

My issue is obviously that winlogbeat-* matches everything. I figure i can do winlogbeat-6.3.0-* but wondering if this is the best way to "catch everything else".

Setting aside all of the above however, i am still seeking guidance if my splitting strategy above is even a good one, because now i am struggling to create visuals across multiple indicies.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.