Which indexes does the new Infrastructure / Logs feature use?


#1

The new logs feature in Kibana 6.5.0 only seems to display live logs from a subset of my indexes.
Is there a way to configure this yet? I've tried adding specific indexes to the filter, but it doesnt display any data.

Thanks!


(Felix Stürmer) #2

Hi @Matin_Nayob

thank you for trying out version 6.5 of the Elastic Stack! :elasticheart:

It is currently designed to work with filebeat out-of-the box. That said, there is some flexibility if you're willing to change the Kibana configuration file (there will be a UI for that soon as well). The index pattern used to read log events can be changed via the xpack.infra.sources.default.logAlias setting, which can contain any index pattern supported by Elasticsearch, e.g.

xpack.infra:
  sources:
    default:
      logAlias: 'filebeat-*,different-filebeat-*'

#3

Excellent, that worked perfectly!

If its of any interest to you, we capture and manually (via logstash) parse a lot of the different log types that filebeat has modules for (like apache and nginx), rather than using the filebeat modules themselves. We do this because we have our own custom log formats for those systems.

Being able to select non-filebeat indexes from the UI would be perfect for our use case.

Either way, thank you very much for your help, really appreciate the amazing work you guys do!

Matin


(Felix Stürmer) #4

Thank you, that feedback is very valuable indeed. A UI to change those settings more conveniently is being worked on.