I have installed Winlogbeat on my computer and data seems to be flowing correctly. My data flows through my stack as shown
Winlogbeat -> logstash -> elasticsearch
I am trying to setup the index templates for Winlogbeat using the commands specified in the documentation, but the mapping seems to be incorrect. When I open a kibana dashboard I get the following error:
"1 of 2 shards failed. Expanding the error shows me the following message
Illegal argument exception
Text fields are not optimized for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [winlog.event_id] in order to load field data by uninverting the inverted index. Note that this can use significant memory"
This error is strange to me because I am using the indexes that were setup through Winlogbeat.
I have tried the following:
Deleting all indexes, index templates, and data streams that were associated with Winlogbeat.
Re-running this setup command: ./winlogbeat.exe setup. This command yields the following output
"Overwriting ILM policy is disabled. Set 'setup.ilm.overwrite: true' for enabling.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
Loaded Ingest pipelines"
Then restarting Winlogbeat. This doesn't fix the bug and I run into the same issue.
I have tried a few things and just seem to be running in circles. Any help would be greatly appreciated.
A few questions that I've been thinking:
What is ILM policy? Should it be enabled?
Is there a different way to setup that will produce the correct mapping?
Links I have looked into:
[Bug] [auditbeat] [winlogbeat] Running setup
with setup.ilm.check_exists: false
creates invalid mappings (text
for keyword
fields), effecting the Security app · Issue #21725 · elastic/beats · GitHub
My winlogbeat.yml file doesn't have a
setup.ilm.check_exists: false
line.
Here is a screenshot of the error I am getting.