Winlogbeat doesn't create custom index-patterns but Elasticsearch does create custom index names, so everything is broken

syunusic · September 14, 2020, 3:55pm

Let’s say I want to have winlogbeat and metricbeat in windows machines for two areas of my company… so I created two spaces in Kibana: “foo” and “bar”.

I want to have different indices for each space.. so, instead of winlogbeat-7.9.1-* , I want to have it as foo-winlogbeat-7.9.1-* and bar-winlogbeat-7.9.1-* and the same for the metricbeat case…
I achieve that in metricbeat, but winlogbeat does't create the correct index-pattern, so the visualizations are pointing to the default index (winlogbeat-) instead the one I need (foo-winlogbeat-).

My guess is something is wrong/different in winlogbeat vs metricbeat about his point.
the relevant configuration in metricbeat was:

setup.template.pattern: "foo-metricbeat-*"
setup.ilm.rollover_alias: "foo-metricbeat"
setup.dashboards.enabled: true
setup.dashboards.index: "foo-metricbeat-*"
setup.kibana:
host: "1.1.1.1:5601"
space.id: "foo"
output.elasticsearch:
hosts: ["1.1.1.1:9200"]
protocol: "https"
ssl.certificate_authorities: ['C:\certs\ca\ca.crt']
username: "elastic"
password: "password"
output.elasticsearch.index: "foo-metricbeat-%{[agent.version]}-%{+yyyy.MM.dd}"

With pretty much the same configuration (in that section) with winlogbeat, doesn't create the correct index-pattern nor visualizations. It just ignores this part (but in Elasticsearch the index is created as foo-winlogbeat*)

shaunak · September 14, 2020, 9:03pm

Hmmm, this is strange. The code that handles index pattern creation is common across all Beats. Can you try running winlogbeat setup and see if that creates the correct index pattern?

syunusic · September 15, 2020, 2:50am

What I run is "winlogbeat setup -e -c winlogbeat.yml" and "metricbeat setup -e -c metricbeat.yml". When I ran metricbeat's, it creates the correct index (foo-metricbeat-* ) in ES, the correct index pattern in Kibana (foo-metricbeat-* ), and all visualizations points to this index patterns.

When I do the same but in winlogbeat, it creates the correct index, installs the correct index template, correct mappings... but incorrect index pattern (it says just winlogbeat-* instead of foo-winlogbeat-*).

The workaround I made (thanks to a suggestion), is to create the my custom part of the name as a suffix instead of a prefix, so, even when the index pattern is wrong, it will work anyways because it will take winlogbeat-* as a correct pattern, because my index is contained in that pattern (metricbeat-foo in this case).

Still... I think this should be fixed.

system · October 13, 2020, 4:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.