Winlogbeat dashboard missing fields

Elastic Stack Beats
1

Hello,
I have an issue with winlogbeat output.
When I am trying to see information with Winlogbeat dashboards in Kibana, it says that there is missing fields in my data when I output to kafka because my architecture is the following one
Winlogbeat → Kafka → Logstash → Elasticsearch

image
image1908×790 25.4 KB

Then I tried to output to Elasticsearch, and I can see all data
image
image1920×937 72.1 KB

I would like to know i there is a way to add these fields while doing an output to kafka
Here is my config winlogbeat.yml when I output to kafka



winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: ForwardedEvents
    tags: [forwarded]

setup.dashboards.enabled: true
setup.dashboards.index: "windows-*"

setup.kibana.host: "10.60.101.10:5601"
setup.kibana.username: 'kibana_dash'
setup.kibana.password: '{password}'


output.kafka:
  hosts: ["10.60.101.11:9092"]
  topic: 'windows'
  partition.round_robin:
    reachable_only: false
  required_acks: 1
  compression: gzip
  max_message_bytes: 1000000


processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~


logging.to_files: true
logging.files:
  path: C:\Program Files\Winlogbeat\Logs
logging.level: info

And the config for elastic output


winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: ForwardedEvents
    tags: [forwarded]

setup.dashboards.enabled: true
setup.dashboards.index: "windows-*"

setup.kibana.host: "10.60.101.10:5601"

output.elasticsearch:
  hosts: ["https://10.60.101.10:9200"]
  username: "elastic"
  password: "{password}"
  ssl.certificate_authorities: ["http_ca.crt"]
  ssl.verification_mode: none
  indices:
    - index: "windows-%{+dd.MM.YYYY}"


setup.template.name: "windows"
setup.template.pattern: "windows-*"
setup.template.fields: "fields.yml"
setup.template.overwrite: false
setup.template.settings:
  index.number_of_shards: 1
  index.number_of_replicas: 1


processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

logging.to_files: true
logging.files:
  path: C:\Program Files\Winlogbeat\Logs
logging.level: info

Thank you for your help

2

I have been able to create the template with winlogbeat by doing the elastic output first

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.