WARNING: Version 6.0 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Load the Elasticsearch index template
editLoad the Elasticsearch index template
editThe setup.template
section of the auditbeat.yml
config file specifies
the index template to use for setting
mappings in Elasticsearch. If template loading is enabled (the default),
Auditbeat loads the index template automatically after successfully
connecting to Elasticsearch.
A connection to Elasticsearch is required to load the index template. If the output is Logstash, you must load the template manually.
You can adjust the following settings to load your own template or overwrite an existing one.
-
setup.template.enabled
- Set to false to disable template loading. If set this to false, you must load the template manually.
-
setup.template.name
-
The name of the template. The default is
auditbeat
. The Beat version is always appended to the given name, so the final name isauditbeat-%\{[beat.version]\}
.
-
setup.template.pattern
-
The template pattern to apply to the default index settings. The default pattern is
auditbeat-*
. The Beat version is always included in the pattern, so the final pattern isauditbeat-%\{[beat.version]\}-*
. The wildcard character-*
is used to match all daily indices.Example:
setup.template.name: "auditbeat" setup.template.pattern: "auditbeat-*"
-
setup.template.fields
-
The path to the YAML file describing the fields. The default is
fields.yml
. If a relative path is set, it is considered relative to the config path. See the Directory layout section for details. -
setup.template.overwrite
- A boolean that specifies whether to overwrite the existing template. The default is false.
-
setup.template.settings
-
A dictionary of settings to place into the
settings.index
dictionary of the Elasticsearch template. For more details about the available Elasticsearch mapping options, please see the Elasticsearch mapping reference.Example:
setup.template.name: "auditbeat" setup.template.fields: "fields.yml" setup.template.overwrite: false setup.template.settings: index.number_of_shards: 1 index.number_of_replicas: 1
-
setup.template.settings._source
-
A dictionary of settings for the
_source
field. For the available settings, please see the Elasticsearch reference.Example:
setup.template.name: "auditbeat" setup.template.fields: "fields.yml" setup.template.overwrite: false setup.template.settings: _source.enabled: false