Hi Everyone,

I'm building a proof of concept using ELK + Winlogbeat to provide us with tools analysing data from Windows Event logs.

In this environment I have 2 servers: log server + ELK server

It looks like everything is working.

Events are being sent form the Logserver to ELK. I have an index pattern working...

However I have 2 questions:

1. I did have some prior test data in he ELK and I'd pushed the sample dashboards to it. This was so that I could demonstrate the idea to my manager. I have since cleared the old index and created a new one.

However the dashboard are all broken. The index has the same name "Winlogbeat-*"

On the dashboard in Kibana it says "click here to fix" but it's not clickable. So I am totally confused.

2. I have many weeks of events in the log ForwardedEvents however the Index is only showing events from a couple of days.

How do I get it to go back further. Note that I have the following entry in my config:

winlogbeat.event_logs:

• name: ForwardedEvents
  ignore_older: 8760h

ignore_older: 72h

- name: Application

- name: Security

- name: System

Hello @gavin.mcmenemy

What version of Winlogbeat, Elasticsearch and Kibana are you running?

I am asking that because we don't need to push dashboard with the latest version it is done by the agent on first start.

Concerning 2, You should be able to change the time period using the time picker which is located at the top right of Kibana.

HI Pier,

Thanks for the reply.

I'm very new to ELK and Winlogbeat. I followed the getting started section of the documentation.

In answer to your question:

Everything is the latest version. I'm following the latest edition of your documentation.

Forgive my ignorance but does this section not push dashoards?

https://www.elastic.co/guide/en/beats/winlogbeat/current/load-kibana-dashboards.html

As I say, the sample dashboards were working until the index was deleted. I'm not sure how I bring them back.

Hi @gavin.mcmenemy,

Which index pattern shows up in Kibana when you go to Management -> Index Pattern ? Is it set as default?

Also paste the result of running GET /_cat/indices in Dev Tools

Hi Adrian:

Under Management -> Index pattern I see the following:

Capture1714×774 75.4 KB

There's only the one index - to is it not set as default? I can see the star there.

The Get /_cat/indices shows the following

yellow open winlogbeat-6.2.4-2018.07.01 T1f2DAPDTjKHwlRxnBs3ew 3 1 111783 0 92.6mb 92.6mb
yellow open winlogbeat-6.2.4-2018.06.29 ezqsbVgySLKi8iOsZ5-R4w 3 1 102056 0 86.3mb 86.3mb
yellow open winlogbeat-6.2.4-2018.06.30 Gd2c0_METym_PYx6GnnTYg 3 1 114268 0 94.7mb 94.7mb
yellow open winlogbeat-6.2.4-2018.07.02 7U-3kTXJTjePtynZ5Dg7cQ 3 1 82487 0 75.3mb 75.3mb
green open .kibana MSO-JBOKRDuPICFbqkg7Uw 1 0 8 2 39.7kb 39.7kb

I think the "yellow" is a config issue.

Can you try installing the dashboards again? Run winlogbeat.exe --setup

Hey Adrian,

Thanks! That appears to have fixed the dashboards.

I'll have to remember to do that in the future. I know it only fixes the sample dashboards (and I have a lot more work to do there) it at least allowed me to get a visualisation of our existing data.

I am still unsure why the data isn't looking correct. Perhaps my Event Forwarding infrastructure has a problem? Who knows I can at least see there's an issue!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.