Winlogbeat 8.8.2 is not sending events to any pipeline

pctrindade · July 26, 2023, 9:06pm

I am currently indexing the Windows Security log, and the events are being sent to Elasticsearch and successfully indexed. However, if I do not specify the pipeline named 'winlogbeat-8.8.2-security' in the output, the events are not parsed by any pipeline.

I have conducted manual tests with my event JSON in both the security pipeline and the routing pipeline, and it is being parsed correctly in both cases.

This is my conf :

winlogbeat.event_logs:
  - name: Security
    ignore_older: 1h

setup.kibana:

  host: "https://kibana-url:443"
  username: "${KB_USER}"
  password: "${KB_PWD}"

  
output.elasticsearch:

  hosts: ["https://elasticsearch-url:443"]
  protocol: "https"
  username: "${ES_USER}"
  password: "${ES_PWD}"

Here's a event example :

{
   "_index":".ds-winlogbeat-8.8.2-2023.07.26-000001",
   "_id":"oRnxk4kByRBLADHKW66P",
   "_version":1,
   "_score":0,
   "_source":{
      "@timestamp":"2023-07-26T19:26:07.641Z",
      "@metadata":{
         "beat":"winlogbeat",
         "type":"_doc",
         "version":"8.8.2"
      },
      "log":{
         "level":"information"
      },
      "message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tACCOUNT_SID\n\tAccount Name:\t\user_nm\n\tAccount Domain:\t\com\n\tLogon ID:\t\t0x7FB4EC4B\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
      "host":{
         "name":"host.com"
      },
      "winlog":{
         "provider_guid":"{99999999999999}",
         "event_data":{
            "TargetUserName":"user_nm",
            "TargetDomainName":"com"
         },
         "process":{
            "pid":999999,
            "thread":{
               "id":999999
            }
         },
         "event_id":"4634",
         "provider_name":"Microsoft-Windows-Security-Auditing",
         "task":"Logoff",
         "keywords":[
            "Audit Success"
         ],
         "record_id":9265451,
         "computer_name":"host.com",
         "channel":"Security",
         "opcode":"Info",
         "api":"wineventlog"
      },
      "event":{
         "code":"4634",
         "kind":"event",
         "provider":"Microsoft-Windows-Security-Auditing",
         "outcome":"success",
         "action":"Logoff",
         "created":"2023-07-26T20:23:55.129Z"
      },
      "ecs":{
         "version":"8.0.0"
      },
      "agent":{
         "ephemeral_id":"4744fb12-9af8-4787-bf8f-490608b0cc89",
         "id":"7067f2d7-82fe-4890-a688-883c924e8a46",
         "name":"host.com",
         "type":"winlogbeat",
         "version":"8.8.2"
      }
   }
}

andrewkroh · July 26, 2023, 9:11pm

You are missing this config:

output.elasticsearch.pipeline: winlogbeat-%{[agent.version]}-routing

as per Modules | Winlogbeat Reference [8.9] | Elastic.

system · August 23, 2023, 11:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.