Event Processing

Logstash Configuration

Logstash on NetEye ships with an Elastic Stack template, which allows to manage its configuration within the NetEye environment.

Please note that Elastic merges all templates using a priority order scheme so that when the values of multiple templates conflict, Elastic will determine which value to use based on the order field in the template: the higher the value, the higher the priority.

Warning

This is valid only for Legacy Index Templates. With the new Composable Index Templates only one template can match an index based on its priority.

Furthermore, please note how all pipelines configuration files, located in the /neteye/shared/logstash/conf/conf.*.d folders, are set as config files, which prevents them from being silently overwritten by future updates. As mentioned also in the .rpmsave and .rpmnew migration guide, config files will instead lead to an rpmnew file if they were modified both on the system and by the update, enabling so the user to control their migration.

Autoexpand Replicas

We created a Logstash template to configure the Logstash replica that applies to both single instances and clusters. The new indices matching the pattern logstash-* will automatically configure the replica with the range 0-1 using the index.auto_expand_replicas setting.

The name of this template is neteye_logstash_replicas, with a priority order of 100. You can view the full template with the following command:

GET _template/neteye_logstash_replicas