Winlogbeat dashboard missing fields

Hello,
I have an issue with winlogbeat output.
When I am trying to see information with Winlogbeat dashboards in Kibana, it says that there is missing fields in my data when I output to kafka because my architecture is the following one
Winlogbeat → Kafka → Logstash → Elasticsearch


Then I tried to output to Elasticsearch, and I can see all data

I would like to know i there is a way to add these fields while doing an output to kafka
Here is my config winlogbeat.yml when I output to kafka



winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: ForwardedEvents
    tags: [forwarded]

setup.dashboards.enabled: true
setup.dashboards.index: "windows-*"

setup.kibana.host: "10.60.101.10:5601"
setup.kibana.username: 'kibana_dash'
setup.kibana.password: '{password}'


output.kafka:
  hosts: ["10.60.101.11:9092"]
  topic: 'windows'
  partition.round_robin:
    reachable_only: false
  required_acks: 1
  compression: gzip
  max_message_bytes: 1000000


processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~


logging.to_files: true
logging.files:
  path: C:\Program Files\Winlogbeat\Logs
logging.level: info

And the config for elastic output


winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: ForwardedEvents
    tags: [forwarded]

setup.dashboards.enabled: true
setup.dashboards.index: "windows-*"

setup.kibana.host: "10.60.101.10:5601"

output.elasticsearch:
  hosts: ["https://10.60.101.10:9200"]
  username: "elastic"
  password: "{password}"
  ssl.certificate_authorities: ["http_ca.crt"]
  ssl.verification_mode: none
  indices:
    - index: "windows-%{+dd.MM.YYYY}"


setup.template.name: "windows"
setup.template.pattern: "windows-*"
setup.template.fields: "fields.yml"
setup.template.overwrite: false
setup.template.settings:
  index.number_of_shards: 1
  index.number_of_replicas: 1


processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

logging.to_files: true
logging.files:
  path: C:\Program Files\Winlogbeat\Logs
logging.level: info

Thank you for your help

I have been able to create the template with winlogbeat by doing the elastic output first

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.