Filebeat- Multiples modules output to multiples indexes.

2 min readMar 21, 2021

Filebeat module enabled for diffrent event

Enable multiple filebeat modules to ships logs from many sources (system/audit /mysql modules, and sending them to different indexes to ES instead of having a single index under filebeat-*..

Install Filebeat follow by the link below.
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html

Enable Filebeat modules

Filebeat modules enable system cisco sophos fortinet

Filebeat modules

Filebeat.yml file

Configure the indices for different event modules.

# — — — — — — — — — — — — — — Elasticsearch Output — — — — — — — — — — — — — —
output.elasticsearch:
# Array of hosts to connect to.
hosts: [“x.x.x.x:9200”]
indices:
— index: “filebeat-%{[agent.version]}-system-%{+yyyy.MM.dd}”
when.equals:
event.module: “system”
— index: “filebeat-%{[agent.version]}-cef-%{+yyyy.MM.dd}”
when.equals:
event.module: “cef”
— index: “filebeat-%{[agent.version]}-cisco-%{+yyyy.MM.dd}”
when.equals:
event.module: “cisco”

Kibana

Create an Index pattern for the different modules

Create index pattern for different modules

Kibana output on Discover

Filebeat- Multiples modules output to multiples indexes.

Written by Emmanuel Adepoju