Custom index pattern vs ILM

stefws · December 7, 2019, 8:22pm

Attempting to make winlogbeat run on a Windows box and wonder about this issues from the log:

2019-12-07T13:31:20.231+0100 INFO [index-management] idxmgmt/std.go:182 Set output.elasticsearch.index to 'winlogbeat-7.5.0' as ILM is enabled.
2019-12-07T13:31:20.748+0100 INFO [monitoring] log/log.go:118 Starting metrics logging every 30s
2019-12-07T13:31:20.830+0100 WARN beater/eventlogger.go:113 EventLog[Microsoft-Windows-Sysmon/Operational] Open() error. No events will be read from this source. The specified channel could not be found. Check channel configuration.

Would I need to turn off ILM (setup.ilm.enabled: false) when I attempt to use a custom index, eg.:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["<redacted>"]

  # Optional protocol and basic auth credentials.
  protocol: "https"
  username: "<redacted>"
  password: "<redacted>"

  # Optional index name. The default is "winlogbeat" plus date
  # and generates [winlogbeat-]YYYY.MM.DD keys.
  # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
  index: "siempoc_winlogbeat-%{[agent.version]}-%{+yyyy.MM.dd}"

setup.template.enabled: false
setup.template.name: "siempoc_winlogbeat"
setup.template.pattern: "siempoc_winlogbeat-*"

How do I turn off/change monitoring interval?

How do I let winlogbeat get access to Windows Sysmon channel (sorry, newbie Windoze, after +20Y Uni*

rugenl · December 8, 2019, 4:27am

This seems to say the error means sysmon isn't installed.

The 30s item is for winlogbeat's monitoring data, not for sampling of the windows logs. To change it you would specify metrics.period

stefws · December 8, 2019, 9:14am

@rugenl thanks, right makes sense. Believe not enabling ilm will improve use a custom index

stefws · December 9, 2019, 8:08am

Hmm still with:

monitoring.enabled: false
[monitoring.]metrics.period: 60s

I'm seeing this in the winlogbeat log file:

2019-12-09T08:52:46.309+0100	INFO	[monitoring]	log/log.go:118	Starting metrics logging every 30s

Seems it wouldn't turn off monitoring nor change it's frequency

stefws · December 10, 2019, 10:39am

Might monitoring be turn off while 'logging' still logs the metrics even at it's own frequency?

So to 'silence' them both I'll need both these settings:

logging.metrics.enabled: false
monitoring.enabled: false

and these control each their frequencies if enabled:

logging.metrics.period: 60s
metrics.period: 60s

system · January 7, 2020, 10:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.