Visualizing Winlogdata on the Kibana

prakash1243 · December 26, 2016, 7:07am

Hi-

Am able to run the Winlogbeat script successfully and able to publish it to the Elastcsearch (localhost:9020).
But, I couldn't see any of that data on the Kibana dashboard. Am able to add the Index, but shows no record found.
Please help.

Am having the setup on Windows-7.

Is there any commands to check, whether Elastic search or Kibana receiving the data from Winlogbeats ? Please let e know.

Court · December 26, 2016, 3:00pm

Assuming you're on Kibana 5, what's the output if you go to Dev Tools > Console and run the following request?

GET winlogbeat-*/_count

prakash1243 · December 26, 2016, 4:27pm

Yes, You are absolutely right.
Am having my setup with 5.1.1 version and I've ran the command given on Kiabana ; below is the snippet:

{
"count": 0,
"_shards": {
"total": 0,
"successful": 0,
"failed": 0
}
}

I've attached the screenshots of the logs, Am having my setup on Windows-7. Please let me know.

But, My Winlgbeats service is running fine, sending logs

Court · December 26, 2016, 4:52pm

It seems like there are no documents in that index, so my initial thought is that something might be wrong with the ingestion process or configuration. I've moved this topic to the winlogbeat forum to increase the likelihood of getting expert help on that.

Just to rule it out: do you have x-pack installed, and if so, does your current user have access to the documents in that index?

prakash1243 · December 26, 2016, 4:54pm

Yes, I had installed X-PACK on Kibana and Elastic Search.
I really don't know about the privileges I had with the given user id, i.e.. username: "kibana", password: "changeme"

Would you please let me know, how do I give full access to this user, since I tried accessing the Management tab, it says access is denied.

Please let me know. Thanks !

Court · December 26, 2016, 5:10pm

Ah ha! That would do it. The built in kibana user is an internal user that only has access to internal kibana indices. Out of the box, there is a superuser named elastic with the password changeme that has access to all indices. I'd recommend that you use that user right now just to confirm that you can see the necessary data.

We don't recommend using a super user in Kibana in general though just to minimize the amount of permissions that Kibana users have for the underlying elasticsearch clusters. Instead, you'll want to create a new user and give them access to the kibana_user role in addition to the read permissions they'll need on the winlogbeat-* indices: https://www.elastic.co/guide/en/x-pack/current/kibana.html

As an aside, please make sure to change the passwords of the built-in users before exposing your Kibana to the network: https://www.elastic.co/guide/en/x-pack/current/setting-up-authentication.html#built-in-users

I'm moving this back to the Kibana forum since this doesn't seem to be an ingestion issue after all.

system · January 23, 2017, 5:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.