Trouble with ilm policy when using logstash

Good morning,

I've been using several beats with elasticsearch and kibana for a while. Everything works well. When I attempt to use logstash things no longer work as expected.

As a test I setup winlog beat on a machine with the following configuration:


  • name: Application

  • name: System

  • name: Security

    • script:
      lang: javascript
      id: security
      file: ${path.home}/module/security/config/winlogbeat-security.js
  • name: Microsoft-Windows-Sysmon/Operational

    • script:
      lang: javascript
      id: sysmon
      file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

hosts: [""]

I added the winlogbeat beat template to ES using the following:
.\winlogbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=[""]'

This creates the template and appears to setup ilm. It creates the index:

This is the index I would like to use. When I start winlogbeat it creates an index

The folloiwng is my logstash output config:

output {
elasticsearch {
hosts => [""]

To attempt to solve the problem I added the following to the config:

index => "%[@metadata][beat]}-%{[@metadata][version]}"-%{+YYYY.MM.dd}"

That also did not work. Now it creates a winlogbeat index per day and does not appear to use ilm. What am I missing?

How can I get winlogbeat and logstash to use the correct index with iml? Thanks in advance,

Ray Jette

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.