我希望每个人都过得很好。 我正在使用 filebeat 将 cisco 系统日志(使用 filebeat cisco 模块)发送到 elasticsearch。显然它没有使用我的自定义索引,而是日志转到默认索引 filebeat-*.
注意:字段 host.name 是一个自定义字段。 - 还尝试禁用和启用 ILM,但没有成功。
下面是我的文件beat.yml配置:
# ============================== Filebeat inputs ===============================
filebeat.inputs:
- type: filestream
id: my-filestream-id
enabled: false
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
- type: syslog
enabled: false
paths:
- /var/log/*.log
# ============================== Filebeat modules ==============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# ======================= Elasticsearch template setting =======================
setup.template.overwrite: true
setup.template.settings:
index.number_of_shards: 1
# =================================== Kibana ===================================
setup.kibana:
host: "http://172.30.169.50:5000"
ssl.verification_mode: "none"
username: "elastic"
password: "[email protected]"
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["172.30.169.50:9200"]
ssl.verification_mode: "none"
username: "elastic"
password: "secret"
indices:
- index: "sbx-%{+yyyy.MM.dd}"
when.contains:
fields:
host.name: "SBX"
- index: "core-%{+yyyy.MM.dd}"
when.contains:
fields:
host.name: "-CS0"
- index: "access%{+yyyy.MM.dd}"
when.contains:
fields:
host.name: "-AS0"
- index: "bgp-%{+yyyy.MM.dd}"
when.contains:
fields:
host.name: "RTRBGP"
- index: "iplc-%{+yyyy.MM.dd}"
when.contains:
fields:
host.name: "IPLC0"
- index: "asp-%{+yyyy.MM.dd}"
when.contains:
fields:
host.name: "ASP0"
- index: "sfs-%{+yyyy.MM.dd}"
when.contains:
fields:
host.name: "SFS0"
- index: "Local_Loop-%{+yyyy.MM.dd}"
when.contains:
fields:
host.name: "LL0"
- index: "mpls-%{+yyyy.MM.dd}"
when.contains:
fields:
host.name: "MPLS"
- index: "fortinet-%{+yyyy.MM.dd}"
when.contains:
fields:
event.module: "fortinet"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
- drop_fields:
when:
equals:
event.module: "cisco"
fields: ["agent.ephemeral_id","agent.hostname","agent.id","agent.type","agent.version","agent.name","cisco.ios.facility","ecs.version","event.cod>
- drop_fields:
when:
equals:
event.module: "fortinet"
fields: ["agent.ephemeral_id","agent.hostname","agent.id","agent.type","agent.version","agent.name","ecs.version","event.code","event.dataset","e>
- dissect:
when:
equals:
event.module: "cisco"
tokenizer: "%{address}:%{}"
field: "log.source.address"
target_prefix: "host"
- dissect:
when:
equals:
event.module: "cisco"
tokenizer: "%{} %{name} %{}"
field: "log.original"
target_prefix: "host"
我在搜索我自己的问题时遇到了你的问题。而且我怀疑您对此仍然有问题,但也许它可以帮助其他人。
我会说你的问题是你没有指定你的 IndexTemplate 以及你的数据流:
setup.template.name:<yours_template_name>-%{[agent.version]}
setup.template.pattern:<yours_template_name>-%{[agent.version]}