"Successully published" but it didn't

Elastic Stack Beats
1

I have setup winlogbeat according to instructions, however logs do not show up in Kibana, despite log stating "successfully published".

2019-10-21T11:37:59.647+0200 WARN elasticsearch/client.go:535 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0x946c75c, ext:63707247477, loc:(*time.Location)(nil)}, Meta:common.MapStr(nil), Fields:common.MapStr{"agent":common.MapStr{"ephemeral_id":"10e9afc2-1576-4643-86d2-0ef0070fcca7", "hostname":"LAPTOP-FEM9SVF4", "id":"0349223d-36a1-485d-bd95-8aa5e07a3a6c", "type":"winlogbeat", "version":"7.4.0"}, "ecs":common.MapStr{"version":"1.1.0"}, "event":common.MapStr{"action":"User Account Management", "code":0x12be, "created":common.Time{wall:0x24355bdc, ext:63707247478, loc:(*time.Location)(nil)}, "kind":"event"}, "host":common.MapStr{"architecture":"x86_64", "hostname":"LAPTOP-FEM9SVF4", "id":"7f1b6202-cde5-4247-b9ab-da3c0724d18b", "name":"LAPTOP-FEM9SVF4", "os":common.MapStr{"build":"18362.418", "family":"windows", "kernel":"10.0.18362.418 (WinBuild.160101.0800)", "name":"Windows 10 Pro", "platform":"windows", "version":"10.0"}}, "log":common.MapStr{"level":"information"}, "message":"A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tLAPTOP-FEM9SVF4$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-1-5-21-3162102966-2696753098-2875345929-1001\n\tAccount Name:\t\tArtjoms Jakovenko\n\tAccount Domain:\t\tLAPTOP-FEM9SVF4\n\nProcess Information:\n\tProcess ID:\t\t0x2ee0\n\tProcess Name:\t\tC:\Windows\System32\LogonUI.exe", "winlog":common.MapStr{"activity_id":"{83670da8-8403-0002-4f0e-67830384d501}", "api":"wineventlog", "channel":"Security", "computer_name":"LAPTOP-FEM9SVF4", "event_data":common.MapStr{"CallerProcessId":"0x2ee0", "CallerProcessName":"C:\Windows\System32\LogonUI.exe", "SubjectDomainName":"WORKGROUP", "SubjectLogonId":"0x3e7", "SubjectUserName":"LAPTOP-FEM9SVF4$", "SubjectUserSid":"S-1-5-18", "TargetDomainName":"LAPTOP-FEM9SVF4", "TargetSid":"S-1-5-21-3162102966-2696753098-2875345929-1001", "TargetUserName":"Artjoms Jakovenko"}, "event_id":0x12be, "keywords":string{"Audit Success"}, "opcode":"Info", "process":common.MapStr{"pid":0x2fc, "thread":common.MapStr{"id":0x359c}}, "provider_guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}", "provider_name":"Microsoft-Windows-Security-Auditing", "record_id":0xbee7, "task":"User Account Management"}}, Private:checkpoint.EventLogState{Name:"Security", RecordNumber:0xbee7, Timestamp:time.Time{wall:0x946c75c, ext:63707247477, loc:(*time.Location)(nil)}, Bookmark:"\r\n \r\n"}, TimeSeries:false}, Flags:0x1} (status=400): {"type":"invalid_index_name_exception","reason":"Invalid index name [winLogs], must be lowercase","index_uuid":"na","index":"winLogs"}
2019-10-21T11:37:59.647+0200 INFO beater/eventlogger.go:76 EventLog[Security] successfully published 1 events

#======================= Winlogbeat specific options ===========================

winlogbeat.event_logs:

  • name: Application
    ignore_older: 72h

  • name: System

  • name: Security
    processors:

    • script:
      lang: javascript
      id: security
      file: ${path.home}/module/security/config/winlogbeat-security.js

  • name: Microsoft-Windows-Sysmon/Operational
    processors:

    • script:
      lang: javascript
      id: sysmon
      file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

#==================== Elasticsearch template settings ==========================

setup.template.name: "winlogbeat"
setup.template.pattern: "winlogbeat-*"

setup.template.settings:
index.number_of_shards: 1

#============================== Kibana =====================================

setup.kibana:

cloud.id: "CONFIDENTIALFORQUESTION"

cloud.auth: "CONFIDENTIALFORQUESTION"

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
index: "winLogs"

#================================ Processors =====================================

processors:

  • add_host_metadata: ~
  • add_cloud_metadata: ~
2

Elasticsearch requires index names to be lowercase.

I would not recommend customizing the index name if this is your first time using Winlogbeat. Give it a try first with the defaults, and then read a bit more about Elasticsearch indices, mappings, and templates. When you change the index name you will need to change the index template pattern (setup.template.pattern) to match the index naming scheme that you have chosen.

1 Like
3

Thank You for response, it helped. Indeed the issue was letter capitalization.
I did not realize the warning message contained the error description and was only trying to solve "Cannot index event publisher.Event" error.
The end of the string is especially unlikely to be seen when you inspect logs with notepad++. Perhaps, it may help you reduce the amount of support tickets on these basic problems if the error description was moved to the start :slight_smile: .

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.