Unable to see combined auditbeat, filebeat indicies in elastic

bhautik · September 25, 2024, 4:19am

I am using filebeat, and auditbeat to collect the log and send it to Elastic, here is my config file

filebeat.inputs:
  - type: filestream
    id: auditbeat
    fields:
      auditbeat: true
    paths:
      - /var/log/auditbeat/*
    parsers:
      - ndjson:
          target: ""
          overwrite_keys: true

filebeat.autodiscover:
  providers:
    - type: kubernetes
      node: ${NODE_NAME}
      hints.enabled: true
      hints.default_config:
        type: filestream
        id: kubernetes-container-logs-${data.kubernetes.node.name}-${data.kubernetes.pod.name}-${data.kubernetes.container.id}-${data.kubernetes.pod.uid}
        paths:
          - /var/log/containers/*-${data.kubernetes.container.id}.log
        parsers:
          - container: ~
        prospector:
        scanner:
          fingerprint.enabled: false
          symlinks: false
        file_identity.fingerprint: ~
        clean_removed: true

output.elasticsearch:
  hosts: ["${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}"]
  compression_level: 9
  indices:
    - index: "auditbeat-%{[agent.version]}-%{+yyyy.MM.dd}"
      when.equals:
        fields.auditbeat: true
    - index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"
      when.not.equals:
        fields.auditbeat: true

setup.template.enabled: true
setup.template.name: "filebeat"
setup.template.pattern: "filebeat-*"
setup.ilm.enabled: true
setup.ilm.mode: auto

I can see the auditbeat Indices but not filebeat Indices to elastic, what am I doing wrong?

thanks.

bhautik · September 26, 2024, 1:01pm