Event Processing¶
Logstash Configuration¶
Logstash on NetEye ships with an Elastic Stack template, which allows to manage its configuration within the NetEye environment.
Furthermore, please note how all pipelines configuration files, located in the /neteye/shared/logstash/conf/conf.*.d
folders, are set as config files, which prevents them from being silently overwritten
by future updates. As mentioned also in the .rpmsave and .rpmnew migration guide,
config files will instead lead to an rpmnew file if they were modified both on the system
and by the update, enabling so the user to control their migration.
Logstash Index Template¶
NetEye configures an index template logs-logstash dedicated to Logstash logs. Any log coming from the Logstash main pipeline, that will mainly manage rsyslog logs and user-customized input sources, will match the logs-logstash-* index template, which will create the dedicated data stream.
In order to modify the retention policy applied to such logs, you can set the desired retention period in the data stream control panel, by selecting .
Autoexpand Replicas¶
Configuration of Logstash replica that applies to both single instances and clusters is done by means of the “neteye-autoexpand-replicas” component template applied to the Logstash index template logs-logstash. The new indices matching the pattern logs-logstash-* will automatically configure the replica with the range 0-1 using the index.auto_expand_replicas setting.
