setup.ilm.enabled: false
setup.template.enabled: true
setup.template.name: "{{ansible_hostname}}-log"
setup.template.pattern: "{{ansible_hostname}}-log-*"
setup.template.overwrite: true

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/auth.log
    - /var/log/messages
    - /user/local/etc/unbound/unbound.log

processors:
- dissect:
    tokenizer: "[%{date}] unbound[%{pid}:%{thread}] query: %{source_ip} %{domain}. %{record_type} IN"
    field: "message"
    ignore_failure: true  # Ignore failures to allow the next processor to run
- dissect:
    tokenizer: "[%{date}] unbound[%{pid}:%{thread}] reply: %{client_ip} %{query} %{query_type} %{query_class} %{response_code} %{resp
onse_time} %{ttl} %{size}"
    field: message"
    ignore_failure: true  # Ignore failures to allow the next processor to run

output.elasticsearch:
  hosts: ["http://linux.service:5080"]
  timeout: 10
  path: "/api/default/"
  index: default
  username: "openobserve@unbl.ink"
  password: "{{openobserve_password}}"