Elk does not see indexes

Elastic Stack Logstash
1

Hello. I'm just learning how to work at ELK. I want to set up the transfer of logs from AD
Installed on 1 server: elasticsearch, kibana, logstash 8.4 v
2 server - windows forwarding event - winlogbeat

winlogbeat.event_logs:
winlogbeat.event_logs:
- name: ForwardedEvents
  forwarded: true

 # ignore_older: 72h

tags: ["winsrvad"]
output.logstash:
  hosts: ["192.169.1.30:5044"]

#logging.level: info
#logging.to_files: true
logging.files:
  path: C:\ProgramData\winlogbeat\logs
 # name: winlogbeat.log
 # keepfiles: 3

logstash config:

filter {
    if "winsrvad" in [tags] {
        if [winlog][event_id] != "5136" and [winlog][event_id] != "5139" and [winlog][event_id] != "5141" and [winlog][event_id] != "5137" and [winlog][event_id] != "4741" and [winlog][event_id] != "4742" and [winlog][event_id$
        drop { }
        }
    }
}

input {
        beats {
        port => 5044
        }
}

output {
    if [type] == "winsrvad" {
        elasticsearch {
            host => "localhost:9200"
            index => "winsrvas-%{+YYYY.MM.dd}"
            user => Logstash
            password => xxxxxxxxx
        }
    ]
}

Data View - create a data view against hidden, system or default indices. - no endex
curl -XGET 'http://localhost:9200/_search?size=10000&pretty'

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 0,
    "successful" : 0,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 0,
      "relation" : "eq"
    },
    "max_score" : 0.0,
    "hits" : [ ]
  }
}

Please help

2

Where is the type field comming from? Does this field really exists in your message?

You are not adding it anywhere in the configurations you shared.

You have winsrvad as a tag, you could use it in your output conditional

output {
    if "winsrvad" in [tags] {
        elasticsearch { ...}
    }
}
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.