Load the Elasticsearch index templateedit

Elasticsearch uses index templates to define:

  • Settings that control the behavior of your indices. The settings include the lifecycle policy used to manage indices as they grow and age.
  • Mappings that determine how fields are analyzed. Each mapping sets the Elasticsearch datatype to use for a specific data field.

The recommended index template file for Auditbeat is installed by the Auditbeat packages. If you accept the default configuration in the auditbeat.yml config file, Auditbeat loads the template automatically after successfully connecting to Elasticsearch. If the template already exists, it’s not overwritten unless you configure Auditbeat to do so.

A connection to Elasticsearch is required to load the index template. If the output is not Elasticsearch (or Elasticsearch Service), you must load the template manually.

This page shows how to change the default template loading behavior to:

For a full list of template setup options, see Elasticsearch index template.

Load your own index templateedit

To load your own index template, set the following options:

setup.template.name: "your_template_name"
setup.template.fields: "path/to/fields.yml"

If the template already exists, it’s not overwritten unless you configure Auditbeat to do so.

Overwrite an existing index templateedit

To overwrite a template that’s already loaded into Elasticsearch, set:

setup.template.overwrite: true

Disable automatic index template loadingedit

You may want to disable automatic template loading if you’re using an output other than Elasticsearch and need to load the template manually. To disable automatic template loading, set:

setup.template.enabled: false

If you disable automatic template loading, you must load the index template manually.

Load the index template manuallyedit

To load the index template manually, run the setup command. A connection to Elasticsearch is required. If another output is enabled, you need to temporarily disable that output and enable Elasticsearch by using the -E option. The examples here assume that Logstash output is enabled. You can omit the -E flags if Elasticsearch output is already enabled.

If you are connecting to a secured Elasticsearch cluster, make sure you’ve configured credentials as described in the Quick start: installation and configuration.

If the host running Auditbeat does not have direct connectivity to Elasticsearch, see Load the index template manually (alternate method).

To load the template, use the appropriate command for your system.

deb and rpm:

auditbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

mac:

./auditbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

brew:

auditbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

linux:

./auditbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

docker:

docker run docker.elastic.co/beats/auditbeat:7.9.2 setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

win:

Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).

From the PowerShell prompt, change to the directory where you installed Auditbeat, and run:

PS > .\auditbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

Force Kibana to look at newest documentsedit

If you’ve already used Auditbeat to index data into Elasticsearch, the index may contain old documents. After you load the index template, you can delete the old documents from auditbeat-* to force Kibana to look at the newest documents.

Use this command:

deb and rpm:

curl -XDELETE 'http://localhost:9200/auditbeat-*'

mac:

curl -XDELETE 'http://localhost:9200/auditbeat-*'

linux:

curl -XDELETE 'http://localhost:9200/auditbeat-*'

win:

PS > Invoke-RestMethod -Method Delete "http://localhost:9200/auditbeat-*"

This command deletes all indices that match the pattern auditbeat-*. Before running this command, make sure you want to delete all indices that match the pattern.

Load the index template manually (alternate method)edit

If the host running Auditbeat does not have direct connectivity to Elasticsearch, you can export the index template to a file, move it to a machine that does have connectivity, and then install the template manually.

To export the index template, run:

deb and rpm:

auditbeat export template > auditbeat.template.json

mac:

./auditbeat export template > auditbeat.template.json

brew:

auditbeat export template > auditbeat.template.json

linux:

./auditbeat export template > auditbeat.template.json

win:

PS > .\auditbeat.exe export template --es.version 7.9.2 | Out-File -Encoding UTF8 auditbeat.template.json

To install the template, run:

deb and rpm:

curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/auditbeat-7.9.2 -d@auditbeat.template.json

mac:

curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/auditbeat-7.9.2 -d@auditbeat.template.json

linux:

curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/auditbeat-7.9.2 -d@auditbeat.template.json

win:

PS > Invoke-RestMethod -Method Put -ContentType "application/json" -InFile auditbeat.template.json -Uri http://localhost:9200/_template/auditbeat-7.9.2