Hello everyone,
Can you help me with an issue I'm facing? Is it possible to configure Winlogbeat to send output to Logstash while still loading the patterns and dashboards for Kibana? Below is a screenshot showing the error I'm encountering when setting up Winlogbeat.
Hi @akabigsmokee Welcome to the community.
Please don't post pictures of text, they are hard to read and can't be searched used etc..
First configure winlogbeat to connect to Kibana as nd elasticsearch as output. Comment out logstash output.
Then run
.\winlogbeat.exe setup -e
Then comment out elasticsearch output and uncomment logstash output and start winlogbeat
That should do it.
Thanks for the answer @stephenb !
I tried the solution you suggested I just have this issue I want the dashboards to use a specific index I used the following config on my winlogbeat.yml but the dashboards loaded on kibana still using the winlogbeat-* index
lines added in the file :
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
setup.template.name: "soc-data"
setup.template.pattern: "soc-data*"
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["192.168.194.54:9200"]
# Protocol - either http (default) or https.
protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "**************"
index: 'soc-data-%{+xxxx.ww}'
output.elasticsearch.ssl.certificate_authorities: ["C:\\Program Files\\winlogbeat\\elasticsearch-ca.pem"]
When I load the dashboards they're still using the winlogbeat-* index
That was not clear... what version?
Yes you can do that...
take a look at this...
setup.dashboards.enabled: true
setup.dashboards.index: "soc-data-*"
After you do that once you should disable as it will try to load the dashboards every time you start...
Hi @stephenb,
I really appreciate your support,
It solved my issue and i was able to make all the logs going through logstash and generate the dashboards with the custom made index.
Hello again,
I just faced this problem that is related to the steps @stephenb advised me to follow. After I loaded the pattern aswell as the dashboards with the custom index I wanted then disable the settings for elasticsearch output and switch to logstash output. The documents come with double fields "field" and "field.keyword" and I got this error when I wanted to change the index for the rules. I added the Index in the rule settings and I got this error
Here is the error
EQL Validation Errors
verification_exception: Found 5 problems line 1:1: Unknown column [event.category], did you mean any of [rule.category, client.nat.port, event_id.keyword, vulnerability.category]? line 1:15: Unknown column [event.type], did you mean any of [event_type, dns.type, error.type, host.type, input.type, service.type, fields.type, endpoint_type, observer.type, elf.segments.type, client.bytes, event_id, event_type.keyword, file.type, observer.os.type, os.type, user_agent.os.type]? line 2:3: Cannot use field [process.name] due to ambiguities being mapped as [2] incompatible types: [text] in [soc-data-2024.09.10, soc-data-2024.09.11], [keyword] in [winlogbeat-7.17.23-2024.09.05-000001] line 2:33: Cannot use field [process.pe.original_file_name] due to ambiguities being mapped as [2] incompatible types: [text] in [soc-data-2024.09.11], [keyword] in [winlogbeat-7.17.23-2024.09.05-000001] line 3:2: Cannot use field [process.args] due to ambiguities being mapped as [2] incompatible types: [text] in [soc-data-2024.09.10, soc-data-2024.09.11], [keyword] in [winlogbeat-7.17.23-2024.09.05-000001]
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.