Hey,
currently I do configurations on my ELK stack since I figured out, that Winlogbeat does not use the default fields.yml to produce results according to the ECS. The problem I have is, that doesn't matter how I configure Winlogbeat, it does not use the configuration in fields.yml. But I can't figure out what am I doing wrong?
My current configuration is as follows:
winlogbeat.event_logs:
- name: 'c:\path\to\my\security.evtx'
setup.template.enabled: true
setup.template.fields: "${path.home}/fields.yml"
setup.template:
settings:
index.number_of_shards: 1
setup.ilm.enabled: false
output.elasticsearch:
enabled: true
hosts: ["my.ip.and.my:port"]
Is can only imagine, that I do something wrong with the path? Or somehow a setting is missing? For me quite weird, because it worked once, but I don't have any idea what I did before.
Any suggestions?
Thanks guys,
SKiD
EDIT #1:
I just saw, that the template, which is create in Elasticsearch for example changes the type of winlog.computer_name to keyword is also shown in "Settings > Index Management > Index templates". If I now create an index pattern depending on the index, it shows the winlog.computer_name as string. 90% of my attributes are still strings.
EDIT #2:
Versions:
Elasticsearch: 7.5.2
Kibana: 7.5.2
Winlogbeat: 7.5.2