Never dropping the events

Elastic Stack Beats
1

I have used drop_fields to drop the fields but after restarting winlogbeat and logstash it's doesn't drop the specified field that it is show in kibana

winlogbeat.yml is as:
(is there is any wrong i have done or why it doesn't fields

###################### Winlogbeat Configuration Example ##########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ==========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System
  
#==================== Elasticsearch template setting ==========================

setup.template.settings:
  index.number_of_shards: 3
  #index.codec: best_compression
  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging


#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "localhost:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

#============================= Elastic Cloud ==================================

# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.


#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]
  #username: "filebeat_internal"
  #password: "YOUR_PASSWORD"

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Procesors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors:
  - drop_fields:
      fields: ["provider_guid", "process_id", "thread_id", "version", "event_data.ErrorSourceTable"]
  
  - add_host_metadata: ~
  - add_cloud_metadata: ~

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: info
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
logging.to_files: true
logging.files:
  path: C:/ProgramData/winlogbeat/Logs

#============================== Xpack Monitoring ===============================
# winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:

2.Another question is i need to drop the events from the winlog that when it's shipping i.e i need to drop the event log of event_id is 0 and 4663

both drop fields and drop event i want to use How to write it?

2

The drop_fields config you have looks correct to me. So is it the case that none of those fields are being dropped?

This is how to drop when event_id is 0 or 4663.

processors:
- drop_event:
    when:
      or:
        - equals.event_id: 0
        - equals.event_id: 4663
3

what you shown same i have tried it doesn't work for drop_event?

yah!! My winlogbeat has logging these event id (i.e)event_id 0 and 4663 mostly for My practice I have just drop_event and some fields to drop_fields but it seems doesn't working
why??
can i have a solution?

i have tried in this procedure:

after editing .yml file
i have started the elasticsearch,kibana
config the yml in powershell and start the service
and then at last i have configured logstash
after that it seems like the same?

4

AGAIN I HAVE EDITED LIKE THIS AND RUN IT:

###################### Winlogbeat Configuration Example ##########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ==========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
** - name: Application**
** ignore_older: 72h**
** - name: Security**
** - name: System**

#==================== Elasticsearch template setting ==========================

setup.template.settings:
** index.number_of_shards: 3**
** #index.codec: best_compression**
** #_source.enabled: false**

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging

#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the -setup CLI flag or the setup command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

** # Kibana Host**
** # Scheme and port can be left out and will be set to the default (http and 5601)**
** # In case you specify and additional path, the scheme is required: http://localhost:5601/path**
** # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601**
** host: "localhost:5601"**

** # Kibana Space ID**
** # ID of the Kibana Space into which the dashboards should be loaded. By default,**
** # the Default Space will be used.**
** #space.id:**

#============================= Elastic Cloud ==================================

# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the output.elasticsearch.hosts and
# setup.kibana.host options.
# You can find the cloud.id in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the output.elasticsearch.username and
# output.elasticsearch.password settings. The format is <user>:<pass>.
#cloud.auth:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
** # Array of hosts to connect to.**
** #hosts: ["localhost:9200"]**
** #username: "filebeat_internal"**
** #password: "YOUR_PASSWORD"**

** # Optional protocol and basic auth credentials.**
** #protocol: "https"**
** #username: "elastic"**
** #password: "changeme"**

#----------------------------- Logstash output --------------------------------
output.logstash:
** # The Logstash hosts**
** hosts: ["localhost:5044"]**

** # Optional SSL. By default is off.**
** # List of root certificates for HTTPS server verifications**
** #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]**

** # Certificate for SSL client authentication**
** #ssl.certificate: "/etc/pki/client/cert.pem"**

** # Client Certificate Key**
** #ssl.key: "/etc/pki/client/cert.key"**

#================================ Procesors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors:
** - drop_event:**
** when:**
** or:**
** - equals.event_id: 4663**
** - equals.event_id: 0**

** - add_host_metadata: ~**
** - add_cloud_metadata: ~**

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: info
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
logging.to_files: true
logging.files:
** path: C:/ProgramData/winlogbeat/Logs**

#============================== Xpack Monitoring ===============================
# winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:

Screenshot_2019-02-06%20Discover%20-%20Kibana
it looks like this what can i do?
it's doesn't drop the field

5

Can you run this and paste the output here. Surround it with three backticks on both sides to format it as code (it supports Markdown syntax).

Fromt the directory where you installed winlogbeat:

.\winlogbeat.exe export config

6

And if you enable debug logging Winlogbeat will dump out to the log file the processor configs that it's using for verification.

logging.level: debug
logging.selectors: [processors, config]
7

2019-02-06 10:56:43.7434371 +0530 IST m=+0.464100601 write error: failed to rotate backups: failed to rotate backups: rename C:\ProgramData\winlogbeat\Logs\winlogbeat C:\ProgramData\winlogbeat\Logs\winlogbeat.1: The process cannot access the file because it is being used by another process.
2019-02-06 10:56:43.7802287 +0530 IST m=+0.500892201 write error: failed to rotate backups: failed to rotate backups: rename C:\ProgramData\winlogbeat\Logs\winlogbeat C:\ProgramData\winlogbeat\Logs\winlogbeat.1: The process cannot access the file because it is being used by another process.

logging:
  files:
    path: C:/ProgramData/winlogbeat/Logs
  level: info
  to_files: true
output:
  logstash:
    hosts:
    - localhost:5044
path:
  config: C:\Program Files\winlogbeat
  data: C:\Program Files\winlogbeat\data
  home: C:\Program Files\winlogbeat
  logs: C:\Program Files\winlogbeat\logs
processors:
- drop_event:
    when:
      or:
      - equals:
          event_id: 4663
      - equals:
          event_id: 0
- add_host_metadata: null
- add_cloud_metadata: null
setup:
  kibana:
    host: localhost:5601
  template:
    settings:
      index:
        number_of_shards: 3
winlogbeat:
  event_logs:
  - ignore_older: 72h
    name: Application
  - name: Security
  - name: System
8

That looks good. Try enabling the debug logging in your config file like I listed above. Then restart and post the beginning of the log file.

9

I have Done all that you mentioned above and it follows as:

2019-02-06 11:17:17.0926856 +0530 IST m=+0.448563201 write error: failed to rotate backups: failed to rotate backups: rename C:\ProgramData\winlogbeat\Logs\winlogbeat C:\ProgramData\winlogbeat\Logs\winlogbeat.1: The process cannot access the file because it is being used by another process.
2019-02-06 11:17:17.1339798 +0530 IST m=+0.489857401 write error: failed to rotate backups: failed to rotate backups: rename C:\ProgramData\winlogbeat\Logs\winlogbeat C:\ProgramData\winlogbeat\Logs\winlogbeat.1: The process cannot access the file because it is being used by another process.
'''logging:
files:
path: C:/ProgramData/winlogbeat/Logs
level: debug
selectors:

  • processors
  • config
    to_files: true
    output:
    logstash:
    hosts:
    • localhost:5044
      path:
      config: C:\Program Files\winlogbeat
      data: C:\Program Files\winlogbeat\data
      home: C:\Program Files\winlogbeat
      logs: C:\Program Files\winlogbeat\logs
      processors:
  • drop_event:
    when:
    or:
    - equals:
    event_id: 4663
    - equals:
    event_id: 0
  • add_host_metadata: null
  • add_cloud_metadata: null
    setup:
    kibana:
    host: localhost:5601
    template:
    settings:
    index:
    number_of_shards: 3
    winlogbeat:
    event_logs:
    • ignore_older: 72h
      name: Application
    • name: Security
    • name: System
      PS C:\Program Files\winlogbeat>,,,

configuring .yml file:

'''PS C:\Program Files\winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
2019-02-06T11:06:56.065+0530 INFO instance/beat.go:592 Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\Program Files\winlogbeat\data] Logs path: [C:\Program Files\winlogbeat\logs]
2019-02-06T11:06:56.067+0530 INFO instance/beat.go:599 Beat UUID: dbe57d48-bdc8-4710-9dff-fa0aea05d377
2019-02-06T11:06:56.068+0530 INFO [beat] instance/beat.go:825 Beat info {"system_info": {"beat": {"path": {"config": "C:\Program Files\winlogbeat", "data": "C:\Program Files\winlogbeat\data", "home": "C:\Program Files\winlogbeat", "logs": "C:\Program Files\winlogbeat\logs"}, "type": "winlogbeat", "uuid": "dbe57d48-bdc8-4710-9dff-fa0aea05d377"}}}
2019-02-06T11:06:56.068+0530 INFO [beat] instance/beat.go:834 Build info {"system_info": {"build": {"commit": "6da316ebb3ba6ed57725b7fd7c21e598522855bf", "libbeat": "6.5.3", "time": "2018-12-06T19:11:05.000Z", "version": "6.5.3"}}}
2019-02-06T11:06:56.068+0530 INFO [beat] instance/beat.go:837 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.10.3"}}}
2019-02-06T11:06:56.152+0530 INFO [beat] instance/beat.go:841 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-02-05T22:54:07.22+05:30","name":"DESKTOP-UDIN3D6","ip":["fe80::6541:26ac:2ebe:ac7d/64","10.163.14.172/24","fe80::add0:c3dd:a67c:44a0/64","169.254.68.160/16","fe80::fddd:9e53:3e06:360b/64","169.254.54.11/16","fe80::f0c6:5d30:7fe7:63da/64","192.168.1.6/24","fe80::103a:6162:fdbf:6da3/64","169.254.109.163/16","::1/128","127.0.0.1/8"],"kernel_version":"10.0.17134.523 (WinBuild.160101.0800)","mac":["58:8a:5a:11:60:20","b2:52:16:0b:f9:3d","c2:52:16:0b:f9:3d","b0:52:16:0b:f9:3d","b0:52:16:0b:f9:3e"],"os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"17134.523"},"timezone":"IST","timezone_offset_sec":19800,"id":"9b2eabbc-370a-41ac-967e-fed0791b06df"}}}
2019-02-06T11:06:56.156+0530 INFO [beat] instance/beat.go:870 Process info {"system_info": {"process": {"cwd": "C:\Program Files\winlogbeat", "exe": "C:\Program Files\winlogbeat\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 11488, "ppid": 9244, "start_time": "2019-02-06T11:06:55.588+0530"}}}
2019-02-06T11:06:56.156+0530 INFO instance/beat.go:278 Setup Beat: winlogbeat; Version: 6.5.3
2019-02-06T11:06:56.157+0530 DEBUG [config] common/config.go:262 Configure processor 'drop_event' with:
{
"when": {
"or": [
{
"equals": {
"event_id": 4663
}
},
{
"equals": {
"event_id": 0
}
}
]
}
}
2019-02-06T11:06:56.187+0530 DEBUG [processors] conditions/conditions.go:93 New condition equals: map[event_id:{4663 false}]
2019-02-06T11:06:56.189+0530 DEBUG [processors] conditions/conditions.go:93 New condition equals: map[event_id:{0 false}]
2019-02-06T11:06:56.189+0530 DEBUG [processors] conditions/conditions.go:93 New condition equals: map[event_id:{4663 false}] or equals: map[event_id:{0 false}]
2019-02-06T11:06:59.213+0530 INFO add_cloud_metadata/add_cloud_metadata.go:319 add_cloud_metadata: hosting provider type not detected.
2019-02-06T11:06:59.213+0530 DEBUG [processors] processors/processor.go:66 Processors: drop_event, condition=equals: map[event_id:{4663 false}] or equals: map[event_id:{0 false}], add_host_metadata=[netinfo.enabled=[false]], add_cloud_metadata=null
2019-02-06T11:06:59.319+0530 INFO [publisher] pipeline/module.go:110 Beat name: DESKTOP-UDIN3D6
2019-02-06T11:06:59.319+0530 INFO beater/winlogbeat.go:68 State will be read from and persisted to C:\Program Files\winlogbeat\data.winlogbeat.yml
2019-02-06T11:06:59.331+0530 DEBUG [processors] processors/processor.go:66 Processors:
2019-02-06T11:06:59.331+0530 DEBUG [processors] processors/processor.go:66 Processors:
2019-02-06T11:06:59.332+0530 DEBUG [processors] processors/processor.go:66 Processors:
Config OK'''

10

For running:

'''PS C:\Program Files\winlogbeat> .\winlogbeat.exe setup -e `

-E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200']
-E output.elasticsearch.username=winlogbeat_internal -E output.elasticsearch.password=YOUR_PASSWORD
-E setup.kibana.host=localhost:5601
2019-02-06T11:07:44.869+0530 INFO instance/beat.go:592 Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\Program Files\winlogbeat\data] Logs path: [C:\Program Files\winlogbeat\logs]
2019-02-06T11:07:44.871+0530 INFO instance/beat.go:599 Beat UUID: dbe57d48-bdc8-4710-9dff-fa0aea05d377
2019-02-06T11:07:44.871+0530 INFO [beat] instance/beat.go:825 Beat info {"system_info": {"beat": {"path": {"config": "C:\Program Files\winlogbeat", "data": "C:\Program Files\winlogbeat\data", "home": "C:\Program Files\winlogbeat", "logs": "C:\Program Files\winlogbeat\logs"}, "type": "winlogbeat", "uuid": "dbe57d48-bdc8-4710-9dff-fa0aea05d377"}}}
2019-02-06T11:07:44.871+0530 INFO [beat] instance/beat.go:834 Build info {"system_info": {"build": {"commit": "6da316ebb3ba6ed57725b7fd7c21e598522855bf", "libbeat": "6.5.3", "time": "2018-12-06T19:11:05.000Z", "version": "6.5.3"}}}
2019-02-06T11:07:44.872+0530 INFO [beat] instance/beat.go:837 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.10.3"}}}
2019-02-06T11:07:44.906+0530 INFO [beat] instance/beat.go:841 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-02-05T22:54:07.21+05:30","name":"DESKTOP-UDIN3D6","ip":["fe80::6541:26ac:2ebe:ac7d/64","10.163.14.172/24","fe80::add0:c3dd:a67c:44a0/64","169.254.68.160/16","fe80::fddd:9e53:3e06:360b/64","169.254.54.11/16","fe80::f0c6:5d30:7fe7:63da/64","192.168.1.6/24","fe80::103a:6162:fdbf:6da3/64","169.254.109.163/16","::1/128","127.0.0.1/8"],"kernel_version":"10.0.17134.523 (WinBuild.160101.0800)","mac":["58:8a:5a:11:60:20","b2:52:16:0b:f9:3d","c2:52:16:0b:f9:3d","b0:52:16:0b:f9:3d","b0:52:16:0b:f9:3e"],"os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"17134.523"},"timezone":"IST","timezone_offset_sec":19800,"id":"9b2eabbc-370a-41ac-967e-fed0791b06df"}}}
2019-02-06T11:07:44.910+0530 INFO [beat] instance/beat.go:870 Process info {"system_info": {"process": {"cwd": "C:\Program Files\winlogbeat", "exe": "C:\Program Files\winlogbeat\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 11676, "ppid": 9244, "start_time": "2019-02-06T11:07:44.700+0530"}}}
2019-02-06T11:07:44.911+0530 INFO instance/beat.go:278 Setup Beat: winlogbeat; Version: 6.5.3
2019-02-06T11:07:44.912+0530 DEBUG [config] common/config.go:262 Configure processor 'drop_event' with:
{
"when": {
"or": [
{
"equals": {
"event_id": 4663
}
},
{
"equals": {
"event_id": 0
}
}
]
}
}
2019-02-06T11:07:44.913+0530 DEBUG [processors] conditions/conditions.go:93 New condition equals: map[event_id:{4663 false}]
2019-02-06T11:07:44.913+0530 DEBUG [processors] conditions/conditions.go:93 New condition equals: map[event_id:{0 false}]
2019-02-06T11:07:44.914+0530 DEBUG [processors] conditions/conditions.go:93 New condition equals: map[event_id:{4663 false}] or equals: map[event_id:{0 false}]
2019-02-06T11:07:47.941+0530 INFO add_cloud_metadata/add_cloud_metadata.go:319 add_cloud_metadata: hosting provider type not detected.
2019-02-06T11:07:47.941+0530 DEBUG [processors] processors/processor.go:66 Processors: drop_event, condition=equals: map[event_id:{4663 false}] or equals: map[event_id:{0 false}], add_host_metadata=[netinfo.enabled=[false]], add_cloud_metadata=null
2019-02-06T11:07:47.977+0530 INFO elasticsearch/client.go:163 Elasticsearch url: http://localhost:9200
2019-02-06T11:07:47.984+0530 INFO [publisher] pipeline/module.go:110 Beat name: DESKTOP-UDIN3D6
2019-02-06T11:07:47.987+0530 INFO beater/winlogbeat.go:68 State will be read from and persisted to C:\Program Files\winlogbeat\data.winlogbeat.yml
2019-02-06T11:07:47.989+0530 DEBUG [processors] processors/processor.go:66 Processors:
2019-02-06T11:07:47.990+0530 DEBUG [processors] processors/processor.go:66 Processors:
2019-02-06T11:07:47.991+0530 DEBUG [processors] processors/processor.go:66 Processors:
2019-02-06T11:07:47.991+0530 INFO elasticsearch/client.go:163 Elasticsearch url: http://localhost:9200
2019-02-06T11:07:48.040+0530 INFO elasticsearch/client.go:713 Connected to Elasticsearch version 6.5.3
2019-02-06T11:07:48.093+0530 INFO template/load.go:129 Template already exists and will not be overwritten.
Loaded index template
Loading dashboards (Kibana must be running and reachable)
2019-02-06T11:07:48.128+0530 INFO elasticsearch/client.go:163 Elasticsearch url: http://localhost:9200
2019-02-06T11:07:48.161+0530 INFO elasticsearch/client.go:713 Connected to Elasticsearch version 6.5.3
2019-02-06T11:07:48.162+0530 INFO kibana/client.go:118 Kibana url: http://localhost:5601
2019-02-06T11:07:51.650+0530 INFO instance/beat.go:717 Kibana dashboards successfully loaded.
Loaded dashboards
PS C:\Program Files\winlogbeat> Start-Service winlogbeat'''

11

After doing this i have restarted logstash:

'''C:\ELK\logstash-6.5.3\bin>logstash -f demo-winlog-pipeline.conf
Sending Logstash logs to C:/ELK/logstash-6.5.3/logs which is now configured via log4j2.properties
[2019-02-06T11:11:27,417][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-02-06T11:11:27,652][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.5.3"}
[2019-02-06T11:11:37,022][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-02-06T11:11:39,096][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>[http://localhost:9200/]}}
[2019-02-06T11:11:41,744][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://localhost:9200/"}
[2019-02-06T11:11:41,926][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2019-02-06T11:11:41,934][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}
[2019-02-06T11:11:42,004][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[2019-02-06T11:11:49,785][INFO ][logstash.inputs.beats ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
[2019-02-06T11:11:49,819][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x39a1e568 run>"}
[2019-02-06T11:11:50,566][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}
[2019-02-06T11:11:54,077][INFO ][org.logstash.beats.Server] Starting server on port: 5044
[2019-02-06T11:11:55,387][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}'''

And the Result will be same not dropping events:
Screenshot_2019-02-06%20Discover%20-%20Kibana

Any wrong i have made?

12

The logs also look good. So I think this instance of Winlogbeat is doing what I would expect. Just to ensure that the test methodology is good. I would add a tag to the events so you can be sure that the events were produced after the config change.

So add

tags: [test_run_01]

to the config file. Then restart. Then do a search in Kibana for tags: test_run_01 AND event_id: 4663 and check to see if any new events get indexed from this machine with 4663.

13

I have done what you have mentioned after that:
the time i was restated is 11:58(logstash) 11.56(winlogbeat)
It will be shown in kibana like this

Screenshot_2019-02-06%20Discover%20-%20Kibana(3)

Screenshot_2019-02-06%20Kibana
Screenshot_2019-02-06 Kibana.png1192×524 18.1 KB
Screenshot_2019-02-06%20Kibana(1)
Screenshot_2019-02-06 Kibana(1).png1156×556 24.6 KB

before restarting i have deleted my today index of winlogbeat in both elastic and kibana

i cannot understand what it is doing under tags??
it's working correctly

14

Not sure what you asking. beats_input_codec_plain_applied is added by Logstash. You can disable that tag if you want with include_codec_tag => false.

15

In logstash config file:

'''input {
beats {
port => 5044
}
}

filter {
if [system][process] {
if [system][process][cmdline] {
grok {
match => {
"[system][process][cmdline]" => "^%{PATH:[system][process][cmdline_path]}"
}
remove_field => "[system][process][cmdline]"
}
}
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}'''

my goal is that i want to filter from beats and then ship it to logstash there i no need to filter anything just what logs are configured just push it to elastic this is the main goal

for this how i have to write logstash config file?
whether i have written already is correct or i have to correct it?

16

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.