Winlogbeat 8.8.2 is not sending events to any pipeline

I am currently indexing the Windows Security log, and the events are being sent to Elasticsearch and successfully indexed. However, if I do not specify the pipeline named 'winlogbeat-8.8.2-security' in the output, the events are not parsed by any pipeline.

I have conducted manual tests with my event JSON in both the security pipeline and the routing pipeline, and it is being parsed correctly in both cases.

This is my conf :

  - name: Security
    ignore_older: 1h


  host: "https://kibana-url:443"
  username: "${KB_USER}"
  password: "${KB_PWD}"


  hosts: ["https://elasticsearch-url:443"]
  protocol: "https"
  username: "${ES_USER}"
  password: "${ES_PWD}"

Here's a event example :

      "message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tACCOUNT_SID\n\tAccount Name:\t\user_nm\n\tAccount Domain:\t\com\n\tLogon ID:\t\t0x7FB4EC4B\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
            "Audit Success"

You are missing this config:

output.elasticsearch.pipeline: winlogbeat-%{[agent.version]}-routing

as per Modules | Winlogbeat Reference [8.9] | Elastic.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.