Good morning,
I've been using several beats with elasticsearch and kibana for a while. Everything works well. When I attempt to use logstash things no longer work as expected.
As a test I setup winlog beat on a machine with the following configuration:
winlogbeat.event_logs:
-
name: Application
-
name: System
-
name: Security
processors:- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
-
name: Microsoft-Windows-Sysmon/Operational
processors:- script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- script:
output.logstash:
hosts: ["10.1.6.252:5044"]
I added the winlogbeat beat template to ES using the following:
.\winlogbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["es-0.mydomain.com"]'
This creates the template and appears to setup ilm. It creates the index:
winlogbeat-7.3.2-2019.09.24-000001
This is the index I would like to use. When I start winlogbeat it creates an index
logstash-2019.09.24-000001
The folloiwng is my logstash output config:
output {
elasticsearch {
hosts => ["http://es-0.mydomain.com"]
}
}
To attempt to solve the problem I added the following to the config:
index => "%[@metadata][beat]}-%{[@metadata][version]}"-%{+YYYY.MM.dd}"
That also did not work. Now it creates a winlogbeat index per day and does not appear to use ilm. What am I missing?
How can I get winlogbeat and logstash to use the correct index with iml? Thanks in advance,
Ray Jette