Why is an extra index created in ElasticSearch?

K

KoiGva2020-01-28 14:00:11

elasticsearch

KoiGva, 2020-01-28 14:00:11

Hello!

FileBeat has two inputs:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /home/ ... /storage/logs/laravel*.log
  document_type: json
  json.keys_under_root: true
  fields:
    log_type: laravel_log
- type: log
  enabled: true
  paths:
    - /var/log/apache2/error.log
  fields:
    log_type: apache_log

In LodStash, the ES index is configured depending on the log_type:

input {
  beats {
    port => 5044
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "%{[fields][log_type]}-%{+YYYY.MM.dd}"
  }
}

Basically, everything works.
But in ES, in addition to the expected indexes, for some reason, this one is also created: The
%{[fields][log_type]}-2020.01.28

question is, is this normal, and if not, how to get rid of it?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

K

KoiGva, 2020-01-28
@koigva

Found out where this index comes from. Logstash writes its logstash-plain.log there.
Apparently because it does not have a log_type, the index is created with that name.
To improve the situation, it turned out like this:

output {
  if [fields][log_type] {
    elasticsearch {
      hosts => ["localhost:9200"]
      index => "%{[fields][log_type]}-%{+YYYY.MM.dd}"
    }
  } else {
    elasticsearch {
      hosts => ["localhost:9200"]
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    }
  }
}

It remains only to find out why Logstash sends it to ES at all?
If anyone knows the answer to this question, please post.