All the beats documentation provide instructions on loading the template index manually through an alternate method if your beat shipper doesn't have access to elasticsearch (for example: https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-template.html#load-template-manually)
These instructions involve exporting the template using the "export template" command, then loading the template into elasticsearch using curl.
I spent ages trying to get this to work with the winlogbeat but kept getting "Text fields are not optimised for operations" errors. After proxying the commands the shipper is sending to elasticsearch it turns out that there is an index alias needs to be created, a step that is not included in the instructions. For example, for winlogbeat 7.9.0 this would be:
curl -s -u "elastic:XXXXXXXX" -X PUT "https://localhost:9200/%3Cwinlogbeat-7.9.0-%7Bnow%2Fd%7D-000001%3E" \
-H 'Content-Type: application/json' -d "{\"aliases\":{\"winlogbeat-7.9.0\":{\"is_write_index\":true}}}"
After running this everything worked perfectly. Wasn't sure wether I should raise this as an issue so just decided to leave it here in case anyone else encounters this problem.
