Winlogbeat creates indexes based on dates from the past

Elastic Stack Beats
1

Hello,

I've a strange problem with winlogbeat. I've installed winlogbeat 1.3 on servers and receive directly on elastic port 9200 corrupted log that create indexes starting from December 2015 through now! Event if I delete all winlogbeat indexes, they recreate automatically! I've only one elasticsearch db, no cluster.

2

Daily indexes are automatically created based on the event @timestamp. Winlogbeat uses the event log record's TimeCreated field as the @timestamp in its events [1]. If you wish to have Winlogbeat only report events that were created within the last N hours/minutes/seconds then you can use the ignore_older settings [2]. Note that in Winlogbeat 5.x the ignore_older filter implementation has been improved and is much faster since it uses a time based query when asking Windows for event log records.

3

Thanks Andrew for your quick reply, very appreciated. Here is what am using in the config and it's the default when installing winlogbeat 1.3.

  event_logs:
    - name: Application
      ignore_older: 72h 
    - name: Security
    - name: System

ignore_older is already set! or maybe the order is important here and having the parameter after -name: Application make it only apply for Application logs ?

4

It's only set for the Application log in the config you provided. Use the following if you would like a 72h set for each event log.

  event_logs:
    - name: Application
      ignore_older: 72h 
    - name: Security
      ignore_older: 72h
    - name: System
      ignore_older: 72h

Order doesn't matter. event_logs is a list of dictionaries (key/value pairs). Each - indicates a new entry in the list. Each dictionary configures an individual event log reader. In 1.3 the only options are name (required) and ignore_older (optional). In 5.x there are few more.

5

Thanks Andrew,

It works now.

6

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.