Hi
we want to use Winlogbeat (7.4.2) for sending the eventlogs of a Windows Server to an Elasticsearch cluster, but it use always the default settings and not the custom one of the Template Section:
setup.template:
name: 'activedirectory-%{[beat.version]}'
pattern: 'activedirectory-%{[beat.version]}-*'
setup.template.json.enabled: true
setup.template.json.path: "activedirectory.template.json"
setup.template.json.name: "activedirectory"output.elasticsearch:
hosts: ['http://10.254.11.11:9200']
index: 'activedirectory-%{[beat.version]}-%{+xxxx.ww}'
In the Log it shows that Winlogbeat only took a few parts of the config but ignores any custom index information:
2019-11-07T13:40:28.423+0100 INFO instance/beat.go:607 Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\ProgramData\winlogbeat\logs]
2019-11-07T13:40:28.425+0100 INFO instance/beat.go:615 Beat ID: 86363dcb-3453-48eb-803f-e0bb3e31d496
2019-11-07T13:40:28.425+0100 INFO [beat] instance/beat.go:903 Beat info {"system_info": {"beat": {"path": {"config": "C:\\Program Files\\winlogbeat", "data": "C:\\ProgramData\\winlogbeat", "home": "C:\\Program Files\\winlogbeat", "logs": "C:\\ProgramData\\winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "86363dcb-3453-48eb-803f-e0bb3e31d496"}}}
2019-11-07T13:40:28.425+0100 INFO [beat] instance/beat.go:912 Build info {"system_info": {"build": {"commit": "15075156388b44390301f070960fd8aeac1c9712", "libbeat": "7.4.2", "time": "2019-10-28T19:54:36.000Z", "version": "7.4.2"}}}
2019-11-07T13:40:28.425+0100 INFO [beat] instance/beat.go:915 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":2,"version":"go1.12.9"}}}
2019-11-07T13:40:28.432+0100 INFO [beat] instance/beat.go:919 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-10T01:19:06.14+02:00","name":"zwei-g-dc01","ip":["fd07:7100:1400:1::2/64","fe80::15b0:b300:b44a:793/64","192.168.8.2/22","::1/128","127.0.0.1/8","fe80::5efe:c0a8:802/128","fe80::100:7f:fffe/64"],"kernel_version":"6.1.7601.24524 (win7sp1_ldr_escrow.190916-1700)","mac":["00:50:56:bd:00:06","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"family":"windows","platform":"windows","name":"Windows Server 2008 R2 Standard","version":"6.1","major":1,"minor":0,"patch":0,"build":"7601.24533"},"timezone":"CET","timezone_offset_sec":3600,"id":"e8403c61-fd33-4443-b0be-7da2078f60ee"}}}
2019-11-07T13:40:28.433+0100 INFO [beat] instance/beat.go:948 Process info {"system_info": {"process": {"cwd": "C:\\Windows\\system32", "exe": "C:\\Program Files\\winlogbeat\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 5904, "ppid": 492, "start_time": "2019-11-07T13:40:26.131+0100"}}}
2019-11-07T13:40:28.433+0100 INFO instance/beat.go:292 Setup Beat: winlogbeat; Version: 7.4.2
2019-11-07T13:40:28.433+0100 INFO [index-management] idxmgmt/std.go:178 Set output.elasticsearch.index to 'winlogbeat-7.4.2' as ILM is enabled.
2019-11-07T13:40:28.433+0100 INFO elasticsearch/client.go:170 Elasticsearch url: http://10.254.11.11:9200
2019-11-07T13:40:28.434+0100 INFO [publisher] pipeline/module.go:97 Beat name: server
2019-11-07T13:40:28.434+0100 INFO beater/winlogbeat.go:69 State will be read from and persisted to C:\ProgramData\winlogbeat\.winlogbeat.yml
2019-11-07T13:40:28.451+0100 WARN [cfgwarn] registered_domain/registered_domain.go:58 BETA: The registered_domain processor is beta.
2019-11-07T13:40:28.451+0100 INFO instance/beat.go:422 winlogbeat start running.
2019-11-07T13:40:28.451+0100 INFO [monitoring] log/log.go:118 Starting metrics logging every 30s
2019-11-07T13:40:28.455+0100 WARN beater/eventlogger.go:108 EventLog[Microsoft-Windows-Sysmon/Operational] Open() error. No events will be read from this source. The specified channel could not be found. Check channel configuration.
2019-11-07T13:40:29.475+0100 INFO pipeline/output.go:95 Connecting to backoff(elasticsearch(http://10.254.11.11:9200))
2019-11-07T13:40:29.475+0100 INFO elasticsearch/client.go:743 Attempting to connect to Elasticsearch version 7.4.2
2019-11-07T13:40:29.515+0100 INFO [index-management] idxmgmt/std.go:252 Auto ILM enable success.
2019-11-07T13:40:29.515+0100 INFO [index-management.ilm] ilm/std.go:134 do not generate ilm policy: exists=true, overwrite=false
2019-11-07T13:40:29.515+0100 INFO [index-management] idxmgmt/std.go:265 ILM policy successfully loaded.
2019-11-07T13:40:29.515+0100 INFO [index-management] idxmgmt/std.go:394 Set setup.template.name to '{winlogbeat-7.4.2 {now/d}-000001}' as ILM is enabled.
2019-11-07T13:40:29.515+0100 INFO [index-management] idxmgmt/std.go:399 Set setup.template.pattern to 'winlogbeat-7.4.2-*' as ILM is enabled.
2019-11-07T13:40:29.515+0100 INFO [index-management] idxmgmt/std.go:433 Set settings.index.lifecycle.rollover_alias in template to {winlogbeat-7.4.2 {now/d}-000001} as ILM is enabled.
2019-11-07T13:40:29.515+0100 INFO [index-management] idxmgmt/std.go:437 Set settings.index.lifecycle.name in template to {winlogbeat-7.4.2 {"policy":{"phases":{"hot":{"actions":{"rollover":{"max_age":"30d","max_size":"50gb"}}}}}}} as ILM is enabled.
2019-11-07T13:40:29.515+0100 INFO template/load.go:88 Template activedirectory already exists and will not be overwritten.
2019-11-07T13:40:29.515+0100 INFO [index-management] idxmgmt/std.go:289 Loaded index template.
2019-11-07T13:40:29.515+0100 INFO [index-management] idxmgmt/std.go:300 Write alias successfully generated.
2019-11-07T13:40:29.516+0100 INFO pipeline/output.go:105 Connection to backoff(elasticsearch(http://10.254.11.11:9200)) established
2019-11-07T13:40:29.567+0100 INFO beater/eventlogger.go:76 EventLog[Security] successfully published 43 events
2019-11-07T13:40:29.567+0100 INFO beater/eventlogger.go:76 EventLog[System] successfully published 1 events
2019-11-07T13:40:30.491+0100 INFO beater/eventlogger.go:76 EventLog[Security] successfully published 11 events
2019-11-07T13:40:30.492+0100 INFO beater/eventlogger.go:76 EventLog[System] successfully published 1 events
2019-11-07T13:40:32.550+0100 INFO beater/eventlogger.go:76 EventLog[Security] successfully published 20 events
I have test some different settings based on some topics of this forum and the manual but nothing works, it always send the information to the winlogbeat index and not to my custom one.