Winlogbeat 1.x works fine but can't get 5 up

Hi
First post - trying to set up winlogbeat on Server 2012 R2. I'm able to get the older version to function but V5 seems to fall over because I can't load the template.

Powershell is a no go it seems but running curl from the elk box with the supplied template in a local folder doesn;t work.
curl -XPUT http://localhost:9200/_template/winlogbeat -d@/tmp/winlogbeatjson1/winlogbeat.template.json

And I get a string of errors
{"error":{"root_cause":[{"type":"mapper_parsing_exception","reason":"No handler for type [keyword] declared on field [related_activity_id]"}],"type":"mapper_parsing_exception","reason":"Failed to parse mapping [default]: No handler for type [keyword] declared on field [related_activity_id]","caused_by":{"type":"mapper_parsing_exception","reason":"No handler for type [keyword] declared on field [related_activity_id]"}},"status":400}[root@elk-srp tmp]#

SSl/TLS is irrelevant in this config so has been removed. I've followed the getting started guide to the letter and have hit this same issue on two machines.

Where is the relevant template for 5? I had a similar issue with the previous version until I loaded the correct json.

Winlogbeat 5.x can automatically install the index template if it is not already installed. It detects the ES version (either 5.x or 2.x) and installs the appropriate index template. If using the recommended installation process and default elasticsearch output config this should happen by default. It will not overwrite a template if one already exists (but this is all configurable).

If you are using ES 2.x and you want to manually install the index template then use the winlogbeat.template-es2x.json file. It's for ES 2.x and does not make use of the newer keyword type.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.