Hi All
After rebuilding the entire elastic stack to 7.16.3 currently, I wanted to expand the elastic to also monitor our windows servers.
I have a winlogbeat config that looks like this:
winlogbeat.event_logs:
- name: Security
fields:
logtype: winlogbeat
- name: Application
fields:
logtype: winlogbeat
- name: System
fields:
logtype: winlogbeat
setup.template.settings:
index.number_of_shards: 2
output.logstash:
hosts: ["logstash.onead.dk:5000"]
My logstash pipeline config looks like this:
input {
beats {
port => 5000
ecs_compatibility => disabled
}
syslog {
}
}
#############################################
# Winlogbeat does not require processing #
#############################################
...
output {
elasticsearch {
hosts => "https://elasticsearch:9200"
index => "%{[fields][logtype]}-%{[@metadata][version]}-%{+YYYY.MM}"
document_type => "%{[@metadata][type]}"
cacert => "/usr/share/logstash/config/certs/ca/ca.crt"
user => XXX
password => XXX
}
}
I can see data flowing nicely into elastic
but when I open the dashboards that are installed as per default, most of them are empty.
What did I do wrong?