How to configure winlogbeat to use existing index in elasticsearch

Elastic Stack Beats
1

Hi Team,

I have index in my elastic instance with index pattern "version-1-2018-". Now, I want my windows logs to be embark under this "version-1-2018-".

i have did the uploaded the "win beat pattern" in my elasticsearch in the name of "template_version_1_winlogbeat" with index_pattern as "version-1-*" as my existing index pattern.

name                          index_patterns               order version
kibana_index_template:.kibana [.kibana]                    0     
logstash                      [logstash-*]                 0     60001
metricbeat-6.2.4              [metricbeat-6.2.4-*]         1       
template_version_1            [version-1-*]                0     
template_version_1_winlogbeat [version-1-*]                0       
winlogbeat-6.4.0              [winlogbeat-6.4.0-*]         1

now how can i config my winlogbeat to use the template "template_version_1_winlogbeat" and use existing index "version-1-*".

Believe me, I have tried all configuration(winbeat) unfortunately nothing is working for me.

But i can feel this would be simple configuration. So can you please guide on this.

if there any example config and any KB link would be more grateful.

Gratitude,
Teja

2

Have you tried setting index, setup.template.name and setup.template.pattern?

Example:

output.elasticsearch:
  enabled: true
  hosts: ["localhost:9200"]

  # Optional index name. The default is "winlogbeat" plus date
  # and generates [winlogbeat-]YYYY.MM.DD keys.
  # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
  index: "version-1-%{+yyyy}"

# Template name. By default the template name is "winlogbeat-%{[beat.version]}"
# The template name and pattern has to be set in case the elasticsearch index pattern is modified.
setup.template.name: "version-1"

# Template pattern. By default the template pattern is "-%{[beat.version]}-*" to apply to the default index settings.
# The first part is the version of the beat and then -* is used to match all daily indices.
# The template name and pattern has to be set in case the elasticsearch index pattern is modified.
setup.template.pattern: "version-1-*"
3

No its is not working, I am not seeing any results in kibana.

winlogbeat.event_logs:
  - name: Application
  - name: Security
  - name: System

output.elasticsearch:
  enabled: true
  hosts:
    - http://xx.xx.xx.xx:9200  
  index: "version-1-%{+YYYY.MM.dd}"

setup.template.name: "template_version_1_winlogbeat"
setup.template.pattern: "version-1-*"
   
  
setup.kibana:
    host: "xx.xx.xx.xx:5601"
  
logging.to_files: true
logging.files:
  path: C:/ProgramData/winlogbeat/Logs
logging.level: debug

This is my configuration file.
Is there any way i can find the error.? (any log files because i cant able find any error in winlogbeat log)

4

What's output of winlogbeat -e -d "*"?

5

You set:

index: "version-1-%{+YYYY.MM.dd}"

While according to your previous messages it should be:

index: "version-1-%{+YYYY}"
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.