I've been trying to setup monitoring for failed logins. I have winlogbeat running on my server and its feeding event logs over to my elastic server. When I loaded the JSON file (winlogbeat-account-usage-dashboard.json) from that page, I get an error saying:
Error
Saved Objects: Could not locate that index-pattern-field (id: event_data.LogonType)
And then when I load the dashboard I get errors in all the frames like "Could not locate that visualization (id: Total-Successful-Logons-1)"
I tried to push the winlogbeat.template.json from my windows server via PS, since I figured that would insert the index-pattern-field I need. But I kept getting error 400. So, I resorted to putting the winlogbeat.template.json in my home folder on the server and running:
{"error":{"root_cause":[{"type":"parse_exception","reason":"Failed to derive xcontent"}],"type":"parse_exception","reason":"Failed to derive xcontent"},"status":400}
I tried replacing localhost with the IP address and got the same error. I also tried with and without the sudo. Any suggestions?
Something I just noticed: when I'm looking in the Discover tab, event_data.LogonType is an available data type. So I'm not sure why I can't load the JSON from the example site either.
All of the event_data.* fields are dynamic since that aren't known up front by Winlogbeat. After you have indexed some events you'll likely need to refresh the fields for the index pattern in Kibana. (Management -> Index Patterns -> winlogbeat-* -> Click Refresh Icon Button)
By default Winlogbeat 5.x will install the index template to Elasticsearch if you are using the ES output. You can check if the index template is already installed with curl http://localhost:9200/_template/winlogbeat. There should also be some log output saying that it installed the template.
This index template is used by Elasticsearch. The "index-pattern-field" is a separate thing that is part of the Kibana index pattern.
I wonder if that file is corrupted in some way. Maybe an editor made some line ending or encoding changes. Can you try the Powershell command again on a clean version of the file taken directly from the zip file.
I can try to retest that dashboard today on a clean ES/Kibana.
Actually, just the "Management -> Index Patterns -> winlogbeat-* -> Click Refresh Icon Button" fixed the problem I was having. That caused the proper fields to be available so I could upload the templates. Thank you.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.