I have taken over an elasticsearch 6.6.2 environment which was a proof of concept to centralize event_logs monitoring.
I have upgraded the servers to Windows 2019 and elasticsearch to 7.1.0 (and now 7.1.1) and added a dedicated ingest node (and included other event_logs), but now the indexes are not ‘daily’ anymore but just one big index. Even when the date rolled over last night, it still kept using the single index. This was working correctly in 6.6.2, so I am wondering if I am missing something.
Previously we had indexes like:
winlogbeat-6.6.2-2019.06.02
winlogbeat-6.6.2-2019.06.01
winlogbeat-6.6.2-2019.05.31
even all the way back to 2018 while the PoC was started in February 2019, so it seems that the older events caused indexes with past dates to be created.
Now however, I have just a big index containing all event-dates with the date of when the winlogbeat (7.1.0) were started:
winlogbeat-7.1.0-2019.06.04-000001
Is this something new in version 7?
I tried adding the settings (to a new winlogbeat with latest version) :
setup.template.name: "winlogbeat-7.1.1"
setup.template.pattern: "winlogbeat-7.1.1-*"
output.elasticsearch:
hosts: ["elastic-in:9200"]
index: "winlogbeat-%{[agent.version]}-%{+yyyy.MM.dd}"
Ran the winlogbeat setup --template and verified that the template was there.
But that still creates a winlogbeat-7.1.1-2019.06.05-000001 (so with the number at the end)
Has this behavior changed in version 7?
Is it because I now have a dedicated ingest node?
Do I need additional settings? (copied the winbeatlog.yml from the 6.6.2 PoC and added event_log names)