Issues with winlogbeat set up

ES version 7.16.2, winlogbeat 7.16.1

Trying to get winlogbeat working on a new cluster. We seem to have got thought the setup phase and started to send data. Each event gets a warning
(status=400): {"type":"illegal_argument_exception","reason":"pipeline with id [winlogbeat-7.16.1-routing] does not exist"}, dropping event!

We have an index created winlogbeat-7.16.1-2022.05.03-000001 and are still running with the elevated privileges needed to do the initial setup.

No errors in the ES logs.

edit:

Hmmm... the ingestion pipeline appear to be a version 8 thing?? We did originally install winlogbeat 8.0 and saw the compatibility warning and reverted to 7.16.1
and we must be using the 8.0 config

winlogbeat.event_logs:
  - name: ForwardedEvents
    tags: [forwarded]
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
output.elasticsearch:
  hosts: ["130.216.5.128:9200"]
  protocol: "https"
  api_key: "<redactected>"
  setup.ilm.check_exists: false
  pipeline: "winlogbeat-%{[agent.version]}-routing"
  output.elasticsearch.allow_older_versions: true
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

Winlogbeat 7 doesn't use the pipeline. See the docs for 7.17 below and compare that to the 8.x docs.

• 7.17 - Modules | Winlogbeat Reference [7.17] | Elastic
• 8.x - Modules | Winlogbeat Reference [8.1] | Elastic

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.