How can I change "winlogbeat" name in "template.name"?


(Jason) #1

Hello.
Why I can't change "winlogbeat" name in "template.name" section in config file?

Thank you.


(Mark Walkom) #2

You can.
If you are having issues then please provide more details on what the problem is and what you are doing.


(Jason) #3

My config is :

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["172.30.9.20:9200"]
  template.name: "server1"
  template.path: "server1.template.json"
  template.overwrite: false

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

But when I restart "winlogbeat" service then I got:
service

Why?


(Mark Walkom) #4

What does the log show?


(Jason) #5

Log said:

The winlogbeat service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
A timeout was reached (30000 milliseconds) while waiting for the winlogbeat service to connect.

(Andrew Kroh) #6

@hack3rcon Please post your full configuration, Winlogbeat version, and the config test output (see #3 in this section of the getting started guide).

And BTW there should be a log dir and file in the directory where you installed Winlogbeat. It would be good to check that too as @warkolm suggested.


(Jason) #7

My configuration is:

###################### Winlogbeat Configuration Example ##########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.full.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ==========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
#  - name: Application
#    ignore_older: 72h
  - name: Security
    event_id: 4660,4663
#  - name: System


#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

#================================ Outputs =====================================

# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["172.30.9.20:9200"]
  template.name: "server1"
  template.path: "server1.template.json"
  template.overwrite: false

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
#output.logstash:
  # The Logstash hosts
 # hosts: ["172.30.9.20:5044"]
  

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

and the output of test is :

What is your idea?


(Jason) #8

I found and solve the problem. I must create a file with the name "server1.template.json", But why Kibana get it with the name "winlogbeat". How can I change this name?

curl -XGET 'http://localhost:9200/_cat/indices?v'
health status index                 uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   .kibana               b3u7iAFMS0O0ZaVkZ12w6Q   1   1          1            0      3.1kb          3.1kb
yellow open   winlogbeat-2017.08.26 4rk35O39TpuUNkP_VpTxDw   5   1          9            0    119.8kb        119.8kb

(Andrew Kroh) #9

Setting output.elasticsearch.template.name modifies the name of the template, not the name of index. That value is used when installing the template (e.g. PUT _template/<template.name>). See the ES documentation on index templates for more details.

The output.elasticsearch.index option controls the destination index name. If you customize the index name then you also need to modify the index template JSON file to make it apply to the new index name. See the "template" value inside the JSON file (it defaults to winlogbeat-*).


(Jason) #10

Excuse me, I'm confused. I must put output.elasticsearch.index into my "winlogbeat" configuration?

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  index: "logs-%{+yyyy.MM.dd}"

then "template JSON" file and change "winlogbeat-" to "logs-" ?

Thank you.


(Andrew Kroh) #11

Yes, that's the correct config.

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  index: 'logs-%{+yyyy.MM.dd}'

And you need to modify the template value inside of the winlogbeat.template.json file. This causes the index template to apply to the custom index name you are using. You'll want to make sure that you overwrite the existing template after making the modification.


(Jason) #12

Thank you.
I don't need to rename any file. I just used index: "logs-%{+yyyy.MM.dd}" in config file and it is OK.
Why I just change template value inside of the winlogbeat.template.json file?


(Andrew Kroh) #13

The template field specifies a pattern that is matched against the names of newly created indices. The settings and mappings will be applied to any index name that matches. Templates are only applied at index creation time. Changing a template will have no impact on existing indices.


(Jason) #14

Thus:
1- Use index: "logs-%{+yyyy.MM.dd}" in config file.
2- open "winlogbeat.template.json" file and replace all "winlogbeat-" with "logs-".

Must I change "template.name: "winlogbeat" in config file too?

OK?


(system) #15

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.