Winlogbeat data missing

Elastic Stack Beats
1

Hi All,
New Elastic user here:)
My setup:
Ubuntu 22.04 LTS Server, running ELK Stack.

My kibana.yml:

image
image540×939 23.3 KB

My Elasticsearch.yml:

image
image456×985 18.3 KB

image
image441×906 15.8 KB

image
image838×961 20.7 KB

I Have added our Sophos firewall using the Sophos Filebeat module. I can read all logs nicely.
So far so good. However, today I started adding Windows Servers:

  1. Install Sysmon.
  2. Install Winlogbeat.
    My Winlogbeat.yml:
    image
    image853×473 9.33 KB

    image
    image975×889 26.1 KB

All went OK. Services are all running.
The only thing that I cant figure out:
Within Elastic-->Security-->hosts, I can see the host, and it is connecting fine. I can See events, and I can expand specific Events. All readable and parsed.
However, if I go to Analytics-->Discover, only Syslog Firewall events are being shown.
One thing I did notice was that I probably miss a Winlogbeat Index?
image

Can Anyone help me solve this issue?

2

Welcome to our community! :smiley:

Please don't post pictures of text, logs or code. They are difficult to read, impossible to search and replicate (if it's code), and some people may not be even able to see them :slight_smile:

3

I think the simplest fix in Kibana is to go to Stack Management -> Data Views -> Create data view. Enter "winlogbeat-*" and select @timestamp. Then click "Create data view".

4

I am sorry for posting pictures. My idea was to provide as much information as possible:)

5

Your solution works like a charm! Thanks for the quick support!

6

No worries, you can post the actual config/code itself in future :slight_smile:

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.