For some reason, my winlogbeat indexes are not being created. I have installed the template manually and verified that it is there along with my default logstash template. I also see data hitting my logstash listening port (5170) via tcpdump. However, if I go into kibana and try to add an index pattern for winlogbeat-* , it doesn't recognize any. Also if I request a list of indices from elasticsearch, I only see my existing logstash-* indices and no winlogbeat-* indices. What would be the best way to troubleshoot this? I am currently running winlogbeat/logstash/elasticsearch 5.1.2 with the following config. Thanks for any help!
winlogbeat:
registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
event_logs:
- name: Application
ignore_older: 72h
- name: Security
ignore_older: 72h
- name: System
ignore_older: 72h
- name: Microsoft-Windows-Sysmon/Operational
ignore_older: 72h
output:
logstash:
hosts: ["172.30.1.101:5170"]
worker: 1
index: winlogbeat
logging.to_files: true
logging.files:
path: C:/ProgramData/winlogbeat/Logs
rotateeverybytes: 10485760 # = 10MB
keepfiles: 3
logging.level: info
My logstash config (INPUT):
input {
beats {
port => 5150
codec => json
type => "suricata"
tags => ["suricata"]
}
beats {
port => 5170
type => "winlogbeat"
}
}
My logstash config (OUTPUT):
output {
elasticsearch { hosts => ["localhost:9200"] }
}