I need to push the event logs to the existing index that we already has, but the logs are flowing to new index WInlogbeat. I tried to modify the WInlogbeat.yaml file by entering the index name but it is not working and always saying "Setup.template.name and setup.template.pattern have to be set if index name is modified'. Please provide the solution for this.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:

Array of hosts to connect to.

hosts: hostname
index: "mi-services"

As the notes above the configuration shows, you should set setup.template.name and setup.template.pattern.

# Optional index name. The default is "winlogbeat" plus date
# and generates [winlogbeat-]YYYY.MM.DD keys.
# In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
index: "winlogbeat-%{[beat.version]}-%{+yyyy.MM.dd}"

So you need to set these two options:

# Template name. By default the template name is "winlogbeat-%{[beat.version]}"
# The template name and pattern has to be set in case the elasticsearch index pattern is modified.
setup.template.name: "winlogbeat-%{[beat.version]}"

# Template pattern. By default the template pattern is "-%{[beat.version]}-*" to apply to the default index settings.
# The first part is the version of the beat and then -* is used to match all daily indices.
# The template name and pattern has to be set in case the elasticsearch index pattern is modified.
setup.template.pattern: "winlogbeat-%{[beat.version]}-*"

If you want to send only to index named mi-services you can use the following settings:

setup.template.name: "mi-services"
setup.template.pattern: ""

If the end of the name can have suffixes, you could put setup.template.pattern: "*" into your config.

Thank you .
I have updated .yml file as below
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:

Array of hosts to connect to.

hosts: hostname
template.overwrite: true
setup.template.name: "mi-services"
setup.templa.pattern: "*"	

But still the logs are flowing to the Winlogbeat index only unable to push to the existing index. Please provide the solution

output.elasticsearch:

Array of hosts to connect to.

enabled: true
hosts: hostname  
index: "mi-services"
setup.template.name: "mi-services"
setup.templa.pattern: "*"	

This is my .yml file still is saying Setp.template.name and setup.template.pattern needs to be speicfied.Please provide solution for this.

You have a typo in your config. You wrote setup.templa.pattern instead of setup.template.pattern.

The correct form of your config is the following:

enabled: true
hosts: hostname  
index: "mi-services"
setup.template.name: "mi-services"
setup.template.pattern: "*"	

I have modified my yml file with your input still it is saying "setup.template.name and setup.template.pattern have to be set if index name is modified'.Please provide resolution for this.

One solution could be to turn off template handling done by Winlogbeat. So you can omit setup.template.name and setup.template.pattern.

setup.template.enabled: true

Please note that in this case Winlogbeat would not manage templates at all.

I have modified the .yml file and included this setting still facing the same issue.

setup.template.enabled: true

By turning off I meant setting setup.template.enabled to false.

output.elasticsearch:

Array of hosts to connect to.

 enabled: true
 hosts: hotname  	
 index: "mi-services"  
 setup.template.enabled: false

I tried with false also same issue.

Could you share your whole config?

I attached my yml file here, please check once.

Sorry, I cannot find your full config. Where did you attach it?

I attached the file here..

I still can't see it. Could you copy it into the textarea?

Also, could you try the template names and patterns like this:

setup.template.name: mi-services
setup.template.pattern: mi-services
output.elasticsearch.index: mi-services

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.