Incorrect Kibana Mappings From Winlogbeats Setup Command

I have installed Winlogbeat on my computer and data seems to be flowing correctly. My data flows through my stack as shown
Winlogbeat -> logstash -> elasticsearch
I am trying to setup the index templates for Winlogbeat using the commands specified in the documentation, but the mapping seems to be incorrect. When I open a kibana dashboard I get the following error:

"1 of 2 shards failed. Expanding the error shows me the following message

Illegal argument exception
Text fields are not optimized for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [winlog.event_id] in order to load field data by uninverting the inverted index. Note that this can use significant memory"

This error is strange to me because I am using the indexes that were setup through Winlogbeat.

I have tried the following:

Deleting all indexes, index templates, and data streams that were associated with Winlogbeat.
Re-running this setup command: ./winlogbeat.exe setup. This command yields the following output

"Overwriting ILM policy is disabled. Set 'setup.ilm.overwrite: true' for enabling.

Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
Loaded Ingest pipelines"

Then restarting Winlogbeat. This doesn't fix the bug and I run into the same issue.

I have tried a few things and just seem to be running in circles. Any help would be greatly appreciated.

A few questions that I've been thinking:
What is ILM policy? Should it be enabled?
Is there a different way to setup that will produce the correct mapping?

Links I have looked into:
[Bug] [auditbeat] [winlogbeat] Running setup with setup.ilm.check_exists: false creates invalid mappings (text for keyword fields), effecting the Security app · Issue #21725 · elastic/beats · GitHub

Elastic 7.9.1 - Security (SIEM) - Your visualization has error(s) - [illegal_argument_exception] - Elastic Security / SIEM - Discuss the Elastic Stack

My winlogbeat.yml file doesn't have a

setup.ilm.check_exists: false


Here is a screenshot of the error I am getting.

Have you tried installing the latest winlogbeat?

Would I have to update my entire stack? I am using Winlogbeat 8.2.3
It was the latest a few weeks ago

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.