Visualizing Winlogdata on the Kibana


(Mike ) #1

Hi-

Am able to run the Winlogbeat script successfully and able to publish it to the Elastcsearch (localhost:9020).
But, I couldn't see any of that data on the Kibana dashboard. Am able to add the Index, but shows no record found.
Please help.

Am having the setup on Windows-7.

Is there any commands to check, whether Elastic search or Kibana receiving the data from Winlogbeats ? Please let e know.


(Court Ewing) #2

Assuming you're on Kibana 5, what's the output if you go to Dev Tools > Console and run the following request?

GET winlogbeat-*/_count


(Mike ) #3

Yes, You are absolutely right.
Am having my setup with 5.1.1 version and I've ran the command given on Kiabana ; below is the snippet:

{
"count": 0,
"_shards": {
"total": 0,
"successful": 0,
"failed": 0
}
}

I've attached the screenshots of the logs, Am having my setup on Windows-7. Please let me know.

But, My Winlgbeats service is running fine, sending logs


(Court Ewing) #4

It seems like there are no documents in that index, so my initial thought is that something might be wrong with the ingestion process or configuration. I've moved this topic to the winlogbeat forum to increase the likelihood of getting expert help on that.

Just to rule it out: do you have x-pack installed, and if so, does your current user have access to the documents in that index?


(Mike ) #5

Yes, I had installed X-PACK on Kibana and Elastic Search.
I really don't know about the privileges I had with the given user id, i.e.. username: "kibana", password: "changeme"

Would you please let me know, how do I give full access to this user, since I tried accessing the Management tab, it says access is denied.

Please let me know. Thanks !


(Court Ewing) #6

Ah ha! That would do it. The built in kibana user is an internal user that only has access to internal kibana indices. Out of the box, there is a superuser named elastic with the password changeme that has access to all indices. I'd recommend that you use that user right now just to confirm that you can see the necessary data.

We don't recommend using a super user in Kibana in general though just to minimize the amount of permissions that Kibana users have for the underlying elasticsearch clusters. Instead, you'll want to create a new user and give them access to the kibana_user role in addition to the read permissions they'll need on the winlogbeat-* indices: https://www.elastic.co/guide/en/x-pack/current/kibana.html

As an aside, please make sure to change the passwords of the built-in users before exposing your Kibana to the network: https://www.elastic.co/guide/en/x-pack/current/setting-up-authentication.html#built-in-users

I'm moving this back to the Kibana forum since this doesn't seem to be an ingestion issue after all.


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.