So I upgraded winlogbeats to 5.x alpha to get a more granular view of my sys logs but I cant get the new json template loaded into elastic search. currently files are still getting shipped from winlogbeats to LS and eventually to ES, im just not getting all the fields that i was expecting with 5.x upgrade. bellow are my commands and errors.
from windows to ELK server
`
PS C:\Program Files (x86)\winlogbeat-5.0.0-alpha5-windows-x86_64> Invoke-WebRequest -Method Put -InFile winlogbeat.temp
ate.json -Uri http://x.x.x.251:9200/_template/winlogbeat?pretty
Invoke-WebRequest : { "error" : { "root_cause" : [ { "type" : "mapper_parsing_exception", "reason" : "No handler for
type [keyword] declared on field [related_activity_id]" } ], "type" : "mapper_parsing_exception", "reason" : "Failed
to parse mapping [default]: No handler for type [keyword] declared on field [related_activity_id]", "caused_by" : {
"type" : "mapper_parsing_exception", "reason" : "No handler for type [keyword] declared on field
[related_activity_id]" } }, "status" : 400 }
At line:1 char:1
- Invoke-WebRequest -Method Put -InFile winlogbeat.template.json -Uri http://x.x ...
-
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc eption + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
i also copied over the winlogbeat.template.json over to the ELK server and tried to load it :slight_smile:
[root@chglnx05 conf.d]# curl -XPUT 'http://localhost:9200/_template/winlogbeat' /home/admin/winlogbeat.template.json
{"error":{"root_cause":[{"type":"parse_exception","reason":"Failed to derive xcontent"}],"type":"parse_exception","reason":"Failed to derive xcontent"},"status":400}curl: (3) malformed `