Can you help me with an issue I'm facing? Is it possible to configure Winlogbeat to send output to Logstash while still loading the patterns and dashboards for Kibana? Below is a screenshot showing the error I'm encountering when setting up Winlogbeat.
I tried the solution you suggested I just have this issue I want the dashboards to use a specific index I used the following config on my winlogbeat.yml but the dashboards loaded on kibana still using the winlogbeat-* index
lines added in the file :
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
setup.template.name: "soc-data"
setup.template.pattern: "soc-data*"
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["192.168.194.54:9200"]
# Protocol - either http (default) or https.
protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "**************"
index: 'soc-data-%{+xxxx.ww}'
output.elasticsearch.ssl.certificate_authorities: ["C:\\Program Files\\winlogbeat\\elasticsearch-ca.pem"]
When I load the dashboards they're still using the winlogbeat-* index
Hi @stephenb,
I really appreciate your support,
It solved my issue and i was able to make all the logs going through logstash and generate the dashboards with the custom made index.
I just faced this problem that is related to the steps @stephenb advised me to follow. After I loaded the pattern aswell as the dashboards with the custom index I wanted then disable the settings for elasticsearch output and switch to logstash output. The documents come with double fields "field" and "field.keyword" and I got this error when I wanted to change the index for the rules. I added the Index in the rule settings and I got this error
EQL Validation Errors
verification_exception: Found 5 problems line 1:1: Unknown column [event.category], did you mean any of [rule.category, client.nat.port, event_id.keyword, vulnerability.category]? line 1:15: Unknown column [event.type], did you mean any of [event_type, dns.type, error.type, host.type, input.type, service.type, fields.type, endpoint_type, observer.type, elf.segments.type, client.bytes, event_id, event_type.keyword, file.type, observer.os.type, os.type, user_agent.os.type]? line 2:3: Cannot use field [process.name] due to ambiguities being mapped as [2] incompatible types: [text] in [soc-data-2024.09.10, soc-data-2024.09.11], [keyword] in [winlogbeat-7.17.23-2024.09.05-000001] line 2:33: Cannot use field [process.pe.original_file_name] due to ambiguities being mapped as [2] incompatible types: [text] in [soc-data-2024.09.11], [keyword] in [winlogbeat-7.17.23-2024.09.05-000001] line 3:2: Cannot use field [process.args] due to ambiguities being mapped as [2] incompatible types: [text] in [soc-data-2024.09.10, soc-data-2024.09.11], [keyword] in [winlogbeat-7.17.23-2024.09.05-000001]
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.