I have a the following setup:
3 - EL Cluster Servers v8.5
1 - Logstash Server v 8.5
1 - Kibana Server v8.5
2 - Windows 2019 Domain Controllers with winbeats installed connecting to the logstash server.
When I try and open any WinlogBeat Dashboard I get various errors, like:
Fielddata is disabled on [winlog.provider_name] in [winlogbeat-8.5.3-2023.10.23]. Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [winlog.provider_name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.
The [winlog.channel] [winlog.loglevel] and various other ones. Since this is a new install here is how I did the install on one of the DCs:
- Installed the winlogonbeat-8.5.3.msi
- Modified the C:\ProgramData\Elastic\Beats\Winlogbeats\winlogbeat.yml with the kibana IP and Elasticsearch cluster IPs and event log information:
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
ignore_older: 72h
- name: Security
event_id: 1102, 1104, 1108, 4624, 4625, 4646, 4672, 4698, 4700, 4720, 4723, 4725, 4727, 4728, 4731, 4732, 4740
processors:
- drop_event.when.not.or:
- equals.winlog.event_id: 4754
- equals.winlog.event_id: 4756
- equals.winlog.event_id: 4767
- equals.winlog.event_id: 4771
- equals.winlog.event_id: 4776
- equals.winlog.event_id: 4780
- equals.winlog.event_id: 4782
- equals.winlog.event_id: 4798
- equals.winlog.event_id: 4799
- name: Microsoft-Windows-Sysmon/Operational
level: critical, error, warning
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
- name: ForwardedEvents
tags: [forwarded]
## Domain Controller Only
- name: DFS Replication
- name: Directory Service
- name: DNS Server
- name: Active Directory Web Services
- Ran the .\winlogbeat.exe test config -c .\winlogbeat.yml -e and all is good
- Ran .\winlogbeat.exe setup -e to setup all the assets
- When this completed I changed the winlogbeat.yml file to send data to logstash and not elasticsearch
- Started with Start-Service winlogbeat
On the logstash server the config file:
[root@r2-logstash ~]# cat /etc/logstash/conf.d/beats.conf
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["192.168.103.40:9200","192.168.103.41:9200","192.168.103.42:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
I log into Kibana and see the dashboard and Index Management and several pages of various dates, winlogbeat-8.5.3-2023.09.07
winlogbeat-8.5.3-2023.09.06, etc.
So it looks like the data is getting into the elasticsearch cluster.
I'm extremely new working with the ELK stack. Not sure why the standard configurations would display errors. I have tried the install a couple times, deleted all the index's tried winlogbeat setup --index-management and other things I could find, but still having issues.
I'm at a loss on where to look at next.