Filebeat- Multiples modules output to multiples indexes.
Enable multiple filebeat modules to ships logs from many sources (system/audit /mysql modules, and sending them to different indexes to ES instead of having a single index under filebeat-*..
Install Filebeat follow by the link below.
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html
Enable Filebeat modules
Filebeat modules enable system cisco sophos fortinet
Filebeat modules
- ActiveMQ module
- Apache module
- Auditd module
- AWS module
- Azure module
- Barracuda module
- Bluecoat module
- CEF module
- Check Point module
- Cisco module
- CoreDNS module
- Crowdstrike module
- Cyberark module
- Cylance module
- Elasticsearch module
- Envoyproxy Module
- F5 module
- Fortinet module
- Google Cloud module
- Google Workspace module
- GSuite module
- haproxy module
- IBM MQ module
- Icinga module
- IIS module
- Imperva module
- Infoblox module
- Iptables module
- Juniper module
- Kafka module
- Kibana module
- Logstash module
- Microsoft module
- MISP module
- MongoDB module
- MSSQL module
- MySQL module
- MySQL Enterprise module
- nats module
- NetFlow module
- Netscout module
- Nginx module
- Office 365 module
- Okta module
- Oracle module
- Osquery module
- Palo Alto Networks module
- PostgreSQL module
- Proofpoint module
- RabbitMQ module
- Radware module
- Redis module
- Santa module
- Snort module
- Snyk module
- Sonicwall module
- Sophos module
- Squid module
- Suricata module
- System module
- Tomcat module
- Traefik module
- Zeek (Bro) Module
- Zoom module
- Zscaler module
Filebeat.yml file
Configure the indices for different event modules.
# — — — — — — — — — — — — — — Elasticsearch Output — — — — — — — — — — — — — —
output.elasticsearch:
# Array of hosts to connect to.
hosts: [“x.x.x.x:9200”]
indices:
— index: “filebeat-%{[agent.version]}-system-%{+yyyy.MM.dd}”
when.equals:
event.module: “system”
— index: “filebeat-%{[agent.version]}-cef-%{+yyyy.MM.dd}”
when.equals:
event.module: “cef”
— index: “filebeat-%{[agent.version]}-cisco-%{+yyyy.MM.dd}”
when.equals:
event.module: “cisco”
Kibana
Create an Index pattern for the different modules
Kibana output on Discover
