I'm trying to get all my logs into 1 index - I have DNS logs currently going into logstash (lumberjack), now when I want to sen windows eventlogs, I'd like them to be index in the logstash-* index. I this possible, as far as I see using winlogbeat you need to create a new index called winlogbeat-*.
The use case is being able to interrogate all data (network/machine) created by sysmon, eventlogs, dns logs, proxy logs). Having a separate index for the wineventlogs makes the correlation impossible.
This is perhaps not in your best interest. Starting in version 6, Elasticsearch will only allow one document type per index. Separate indices are a better way to go for future compatibility.
thanks for the heads up - but what's the points of log centralization if you then can'ts search centralized? or will there be mutliple-index search support?
And what exactly do you mean by "one document type"?
You need to have a common prefix in front of the index, eg commonword- so each index becomes commonword-winlogbeat- etc, and then you can setup an index pattern called commonword-* that will read them all.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
