Winlogbeat doesn't create custom index-patterns but Elasticsearch does create custom index names, so everything is broken

syunusic · September 14, 2020, 3:55pm

Let’s say I want to have winlogbeat and metricbeat in windows machines for two areas of my company… so I created two spaces in Kibana: “foo” and “bar”.

I want to have different indices for each space.. so, instead of winlogbeat-7.9.1-* , I want to have it as foo-winlogbeat-7.9.1-* and bar-winlogbeat-7.9.1-* and the same for the metricbeat case…
I achieve that in metricbeat, but winlogbeat does't create the correct index-pattern, so the visualizations are pointing to the default index (winlogbeat-) instead the one I need (foo-winlogbeat-).

My guess is something is wrong/different in winlogbeat vs metricbeat about his point.
the relevant configuration in metricbeat was:

setup.template.pattern: "foo-metricbeat-*"
setup.ilm.rollover_alias: "foo-metricbeat"
setup.dashboards.enabled: true
setup.dashboards.index: "foo-metricbeat-*"
setup.kibana:
host: "1.1.1.1:5601"
space.id: "foo"
output.elasticsearch:
hosts: ["1.1.1.1:9200"]
protocol: "https"
ssl.certificate_authorities: ['C:\certs\ca\ca.crt']
username: "elastic"
password: "password"
output.elasticsearch.index: "foo-metricbeat-%{[agent.version]}-%{+yyyy.MM.dd}"

With pretty much the same configuration (in that section) with winlogbeat, doesn't create the correct index-pattern nor visualizations. It just ignores this part (but in Elasticsearch the index is created as foo-winlogbeat*)

shaunak · September 14, 2020, 9:03pm

Hmmm, this is strange. The code that handles index pattern creation is common across all Beats. Can you try running winlogbeat setup and see if that creates the correct index pattern?

syunusic · September 15, 2020, 2:50am

What I run is "winlogbeat setup -e -c winlogbeat.yml" and "metricbeat setup -e -c metricbeat.yml". When I ran metricbeat's, it creates the correct index (foo-metricbeat-* ) in ES, the correct index pattern in Kibana (foo-metricbeat-* ), and all visualizations points to this index patterns.

When I do the same but in winlogbeat, it creates the correct index, installs the correct index template, correct mappings... but incorrect index pattern (it says just winlogbeat-* instead of foo-winlogbeat-*).

The workaround I made (thanks to a suggestion), is to create the my custom part of the name as a suffix instead of a prefix, so, even when the index pattern is wrong, it will work anyways because it will take winlogbeat-* as a correct pattern, because my index is contained in that pattern (metricbeat-foo in this case).

Still... I think this should be fixed.

system · October 13, 2020, 4:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to configure winlogbeat to use existing index in elasticsearch Beats	5	511	October 4, 2018
Separate Index Pattern for each Windows Log Beats winlogbeat	2	524	April 25, 2018
No Index for winlogbeat-* Beats winlogbeat	2	1940	February 24, 2017
Create a custom index in winlogbeat using cloud.id Beats winlogbeat	3	406	May 30, 2019
Index_Pattern set to metricbeat-* on sample dashboards Beats metricbeat	4	1188	March 9, 2018

Winlogbeat doesn't create custom index-patterns but Elasticsearch does create custom index names, so everything is broken

Related topics