No index matching for Windows Forwarded events

I am sending Windows events over WEC server on which Elastic Agent is installed and is sending events to Elasticsearch.
By default events are put into indexes with pattern "logs-windows.forwarded-default", and it looks like events parsing is working ok.
But rules are not working with warning:
"This rule is attempting to query data from Elasticsearch indices listed in the "Index patterns" section of the rule definition, however no index matching: ["winlogbeat-","logs-endpoint.events.file-","logs-windows.sysmon_operational-","endgame-","logs-sentinel_one_cloud_funnel.*"] was found. This warning will continue to appear until a matching index is created or this rule is disabled."
How can I fix this?

Welcome @isever24 !

I am assuming by your description that you are using a prebuilt rule here. If that is the case, then what I would suggest is duplicating the rule so that you can modify the indices it searches to something like: logs-windows.forwarded-*. You can then disable the prebuilt rule.

A note here - when duplicating prebuilt rules you will need to manually make any updates to the duplicated rule when any new versions come out. We are working on improving the user experience here.

Let me know if that helps!

Can't I change index pattern to something else in ingest pipeline or data stream? So that Agent puts those events in indexes with pattern winlogbeat-* for example?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.