Hello,
I mistakenly deleted the winlogbeat index. However, new data stopped ingesting after deletion.
What can I do?
Regards.
Welcome to our community! 
It should just recreate the index. However it might be worth checking the Winlogbeat logs.
Thanks @warkolm.
I trie: ./winlogbeat -c winlogbeat.yml -e
Here is the sample log:
2020-11-20T10:42:21.318+0200 WARN [elasticsearch] elasticsearch/client.go:407 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xb2af7b4, ext:63741309925, loc:(time.Location)(nil)}, Meta:null, Fields:{"agent":{"ephemeral_id":"70704326-43ec-41d8-a84d-2c4e1bf5a53a","hostname":"bolly-bobo","id":"ef0d400e-bff9-44dd-928b-3b32a27434f1","name":"bolly-bobo","type":"winlogbeat","version":"7.9.0"},"ecs":{"version":"1.5.0"},"event":{"action":"Process Termination","code":4689,"created":"2020-11-20T08:42:09.820Z","kind":"event","provider":"Microsoft-Windows-Security-Auditing"},"host":{"architecture":"x86_64","hostname":"bolly-bobo","id":"9d11a3d6-2667-4b28-9ad0-7d42031df048","ip":********"SubjectUserSid":"S-1-5-18"},"event_id":4689,"keywords":["Audit Success"],"opcode":"Info","process":{"pid":4,"thread":{"id":7116}},"provider_guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","provider_name":"Microsoft-Windows-Security-Auditing","record_id":1949010,"task":"Process Termination"}}, Private:checkpoint.EventLogState{Name:"Security", RecordNumber:0x1dbd52, Timestamp:time.Time{wall:0xb2af7b4, ext:63741309925, loc:(*time.Location)(nil)}, Bookmark:"\r\n \r\n"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"illegal_argument_exception","reason":"no write index is defined for alias [winlogbeat-7.9.0]. The write index may be explicitly disabled using is_write_index=false or the alias points to multiple indices without one being designated as a write index"}
I made a new index with is_write_index set to true. Still no luck.
Are you using ILM?
Yes, I am using ILM
What's the output from the _cat/aliases/winlogbeat-7.9.0?v` API?
alias index filter routing.index routing.search is_write_index
winlogbeat-7.9.0 winlogbeat-7.9.0-2020.08.24-000001 - - - false
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.