Winlogbeat 7.2.0 index name not changing despite specifying setup.template.name, setup.template.pattern

Elastic Stack Beats
1

Hello,
Everyone jhas asked this multiple times and I've tried the solutions but it doesn't seem to work. I have tried to specify the template.name and template.pattern to change the name of the index to which wingbeat indexes the log entries, but it doesn't seem to be working. the index names, patterns, and dashboards are still created with the name: winlogbeat-7.2.0. Here is a part of the config file for reference:

setup.template:
    enabled: false
    name: "elastic1-%{[beat.version]}"
    pattern: "elastic1-%{[beat.version]}-*"
    settings:
        index.number_of_shards: 6
        index.number_of_replicas: 1
        index.codec: best_compression
output.elasticsearch:
    # Array of hosts to connect to.
    hosts: ["https://10.211.1.192:9200"]
    protocol: https
    compression_level: 0
    worker: 3
    escape_html: true
    username: ${ES_BEATS_USER}
    password: ${ES_BEATS_PASSWORD}
    index: "elastic1-%{[beat.version]}-%{+yyyy.MM.dd}"
    ssl.certificate: "C:/Program Files/winlogbeat-7.2.0/certs/transport-esma-signed.pem"
    ssl.key: "C:/Program Files/winlogbeat-7.2.0/certs/transport-esma-signed-key.pem"
    ssl.certificate_authorities: "C:/Program Files/winlogbeat-7.2.0/certs/elastic-intermediate-ca.pem"

The name still defaults to winlogbeat-7.2.0 instead of elastic1-7.2.0-2019-08-31, when I run .\winlogbeat.exe setup. Can you please help with this?

2

The whitespaces seem incorrect in your configuration.

Could you try this config?

setup.template:
  enabled: false
  name: "elastic1-%{[beat.version]}"
  pattern: "elastic1-%{[beat.version]}-*"
  settings:
    index.number_of_shards: 6
    index.number_of_replicas: 1
    index.codec: best_compression
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://10.211.1.192:9200"]
  protocol: https
  compression_level: 0
  worker: 3
  escape_html: true
  username: ${ES_BEATS_USER}
  password: ${ES_BEATS_PASSWORD}
  index: "elastic1-%{[beat.version]}-%{+yyyy.MM.dd}"
  ssl.certificate: "C:/Program Files/winlogbeat-7.2.0/certs/transport-esma-signed.pem"
  ssl.key: "C:/Program Files/winlogbeat-7.2.0/certs/transport-esma-signed-key.pem"
  ssl.certificate_authorities: "C:/Program Files/winlogbeat-7.2.0/certs/elastic-intermediate-ca.pem"
3

I used kibana to delete the old indexes and the saved objectsand then added your changes to the config file. I ran .\winlogbeat.exe setup to create the index and dashboards in kibana but still winlogbeat index was created. I also received the following error when I ran winlogbeat.exe setup:

Loading ILM policy and write alias without loading template is not recommended. Check your configuration.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards

Am I missing something?

4

Hello,
I figured this out. After looking over the documentation multiple times, I finally realized I had ILM enabled in my cluster. I changed the template settings to the following:

setup.template:
  settings:
    index.number_of_shards: 6
    index.number_of_replicas: 1
    index.codec: best_compression

setup.template.overwrite: true
setup.ilm.enabled: true
setup.ilm.rollover_alias: "elastic1"
setup.ilm.pattern: "{now/d}"
setup.ilm.policy_name: "elastic1-%{[beat.version]}"
setup.ilm.overwrite: true

Now it indexes the logs to the correct index and everything. However, the index pattern is not created correctly in kibana. The default index pattern is still created winlogbeat-*, and not elastic1-*.

5

Great to hear it.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.