Configure Winlogbeat to use Logstash and setup kibana dashboards at once

Elastic Stack Beats
1

Hello everyone,

Can you help me with an issue I'm facing? Is it possible to configure Winlogbeat to send output to Logstash while still loading the patterns and dashboards for Kibana? Below is a screenshot showing the error I'm encountering when setting up Winlogbeat.

image
image1007×228 7.5 KB

2

Here you find some snippets from the winlogbeat.yml

image
image789×409 7.4 KB

3

Hi @akabigsmokee Welcome to the community.

Please don't post pictures of text, they are hard to read and can't be searched used etc..

First configure winlogbeat to connect to Kibana as nd elasticsearch as output. Comment out logstash output.

Then run

.\winlogbeat.exe setup -e

Then comment out elasticsearch output and uncomment logstash output and start winlogbeat

That should do it.

4

Thanks for the answer @stephenb !

I tried the solution you suggested I just have this issue I want the dashboards to use a specific index I used the following config on my winlogbeat.yml but the dashboards loaded on kibana still using the winlogbeat-* index

lines added in the file :

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false
setup.template.name: "soc-data"
setup.template.pattern: "soc-data*"

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.194.54:9200"]

  # Protocol - either http (default) or https.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "**************"
  index: 'soc-data-%{+xxxx.ww}'

output.elasticsearch.ssl.certificate_authorities: ["C:\\Program Files\\winlogbeat\\elasticsearch-ca.pem"]

When I load the dashboards they're still using the winlogbeat-* index

image
image903×473 34.9 KB

5

That was not clear... what version?

Yes you can do that...

take a look at this...

setup.dashboards.enabled: true
setup.dashboards.index: "soc-data-*"

After you do that once you should disable as it will try to load the dashboards every time you start...

6

Hi @stephenb,
I really appreciate your support,
It solved my issue and i was able to make all the logs going through logstash and generate the dashboards with the custom made index.

1 Like
7

Hello again,

I just faced this problem that is related to the steps @stephenb advised me to follow. After I loaded the pattern aswell as the dashboards with the custom index I wanted then disable the settings for elasticsearch output and switch to logstash output. The documents come with double fields "field" and "field.keyword" and I got this error when I wanted to change the index for the rules. I added the Index in the rule settings and I got this error

image
image927×437 47.5 KB

Here is the error

EQL Validation Errors
verification_exception: Found 5 problems line 1:1: Unknown column [event.category], did you mean any of [rule.category, client.nat.port, event_id.keyword, vulnerability.category]? line 1:15: Unknown column [event.type], did you mean any of [event_type, dns.type, error.type, host.type, input.type, service.type, fields.type, endpoint_type, observer.type, elf.segments.type, client.bytes, event_id, event_type.keyword, file.type, observer.os.type, os.type, user_agent.os.type]? line 2:3: Cannot use field [process.name] due to ambiguities being mapped as [2] incompatible types: [text] in [soc-data-2024.09.10, soc-data-2024.09.11], [keyword] in [winlogbeat-7.17.23-2024.09.05-000001] line 2:33: Cannot use field [process.pe.original_file_name] due to ambiguities being mapped as [2] incompatible types: [text] in [soc-data-2024.09.11], [keyword] in [winlogbeat-7.17.23-2024.09.05-000001] line 3:2: Cannot use field [process.args] due to ambiguities being mapped as [2] incompatible types: [text] in [soc-data-2024.09.10, soc-data-2024.09.11], [keyword] in [winlogbeat-7.17.23-2024.09.05-000001]