How to configure kibana to see data from winlogbeat


(yolena) #1

Hi! I need your help as possible you can!
I just want to see the data from winlogbeat but I'm using logstash to filter the data to sending to Elasticsearch and finally see it in kibana, but this is what happens when I open the kinaba page in the field @timestamp:

And this is my configure Logstash field:

input {
beats {
port => 5044
}
}

filter {
if [type] == "wineventlog" and [level] != "Error" {
drop { }
}
}

output {
elasticsearch {
hosts => ["192.168.123.72:9200"]
user => logstash_internal
password => "xxxxxxx"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

I hope that you can help me!! thanks!!


(Tim Roes) #2

Hey,

are you sure that there actually is error event logs?

Could you try pasting the following query in the "Dev Tools -> Console" in Kibana:

GET /winlogbeat-*/_search

Does this retrieve a JSON, that contains any hits array?

Cheers,
Tim


(yolena) #3

Well, hosnestly I don't know if really exist an error event logs, but I follow your advice and this how I found. I need to be honestly is my first time using kibana and I really want to learn but I need that you say me what to do step by step if it is not a big trouble please!! :no_mouth: and thanks!!

Note: I'm using winlogbeat to send the data to logstash and then Elasticsearch and finally Kibana


(yolena) #4

I just want to see the errors that
Appear in the domain controller, in the server.


(Tim Roes) #5

This really means, there are no documents (i.e. logs) in your index. Which could possibly mean, there are no errors collected by winlogbeats. I am not very good with Windows, so I don't know the relation between winlogbeat and the domain controller, but I asked someone from the beats team to have a look at this.


(yolena) #6

thanks, I really appreciate. The domain Controller is the information that I want to see in Kibana, I suppose that it is a field where contains some information about the user name's and others things. Well I'm interest to see only the errors.


(Andrew Kroh) #7

Are you sure events are flowing properly between Winlogbeat and Logstash? At the moment we have no way of knowing if setup is broken or if there are simply no "Error" events. I recommend that you temporarily remove the LS filter section just to see if any events are flowing.

Could you please post the Winlogbeat config that you are using and the logs from Winlogbeat.


(yolena) #8

Sure. This is what I have here.

This is Winlogbeat.yml

#================= Winlogbeat specific options ======================

    # event_logs specifies a list of event logs to monitor as well as any
    # accompanying options. The YAML data type of event_logs is a list of
    # dictionaries.
    #
    # The supported keys are name (required), tags, fields, fields_under_root,
    # forwarded, ignore_older, level, event_id, provider, and include_xml. Please
    # visit the documentation for the complete details of each option.
    # https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
    #  - name: Application
    #    ignore_older: 72h
    #  - name: Security
     - name: System

#=========================== General ==============================

    # The name of the shipper that publishes the network data. It can be used to group
    # all the transactions sent by a single shipper in the web interface.
    #name:

    # The tags of the shipper are included in their own field with each
    # transaction published.
    #tags: ["service-X", "web-tier"]

    # Optional fields that you can specify to add additional information to the
    # output.
    #fields:
    #  env: staging

#========================== Outputs ==============================

    # Configure what outputs to use when sending the data collected by the beat.
    # Multiple outputs may be used.

#-------------------------- Elasticsearch output ------------------------------
    #output.elasticsearch:
    # Array of hosts to connect to.
    # hosts: ["localhost:9200"]

     # Optional protocol and basic auth credentials.
     #protocol: "https"
     #username: "elastic"
     #password: "changeme"

#----------------------------- Logstash output --------------------------------
output.logstash:
     # The Logstash hosts
  hosts: ["192.168.123.72:5044"]

     # Optional SSL. By default is off.
     # List of root certificates for HTTPS server verifications
     #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

      # Certificate for SSL client authentication
      #ssl.certificate: "/etc/pki/client/cert.pem"

      # Client Certificate Key
      #ssl.key: "/etc/pki/client/cert.key"

#========================== Logging ===============================

    # Sets log level. The default log level is info.
    # Available log levels are: critical, error, warning, info, debug
    #logging.level: debug

    # At debug level, you can selectively enable logging only for some components.
    # To enable all selectors use ["*"]. Examples of other selectors are "beat",
    # "publish", "service".

(yolena) #9

We took the example to do the filter from here:


(yolena) #10

I have good news!! Finally we found the way to see the data that we wanted in kibana, so first we made that you advice that was remove the LS filter section. Then we agregated in the winlog.yml this:

winlogbeat.event_logs:
# - name: Application
# ignore_older: 72h
# - name: Security
- name: System
level: critical, error, warming

and finally we restar the services of logstash and winlogbeat and EUREKA!!!

We can see the data in Kibana.

I have to say thanks for your help!! :mage:t3:


(system) #11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.