Winlogbeat dont use custom template

j.frenker · November 7, 2019, 12:49pm

Hi

we want to use Winlogbeat (7.4.2) for sending the eventlogs of a Windows Server to an Elasticsearch cluster, but it use always the default settings and not the custom one of the Template Section:

setup.template:
name: 'activedirectory-%{[beat.version]}'
pattern: 'activedirectory-%{[beat.version]}-*'
setup.template.json.enabled: true
setup.template.json.path: "activedirectory.template.json"
setup.template.json.name: "activedirectory"

output.elasticsearch:
hosts: ['http://10.254.11.11:9200']
index: 'activedirectory-%{[beat.version]}-%{+xxxx.ww}'

In the Log it shows that Winlogbeat only took a few parts of the config but ignores any custom index information:

2019-11-07T13:40:28.423+0100	INFO	instance/beat.go:607	Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\ProgramData\winlogbeat\logs]
2019-11-07T13:40:28.425+0100	INFO	instance/beat.go:615	Beat ID: 86363dcb-3453-48eb-803f-e0bb3e31d496
2019-11-07T13:40:28.425+0100	INFO	[beat]	instance/beat.go:903	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files\\winlogbeat", "data": "C:\\ProgramData\\winlogbeat", "home": "C:\\Program Files\\winlogbeat", "logs": "C:\\ProgramData\\winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "86363dcb-3453-48eb-803f-e0bb3e31d496"}}}
2019-11-07T13:40:28.425+0100	INFO	[beat]	instance/beat.go:912	Build info	{"system_info": {"build": {"commit": "15075156388b44390301f070960fd8aeac1c9712", "libbeat": "7.4.2", "time": "2019-10-28T19:54:36.000Z", "version": "7.4.2"}}}
2019-11-07T13:40:28.425+0100	INFO	[beat]	instance/beat.go:915	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":2,"version":"go1.12.9"}}}
2019-11-07T13:40:28.432+0100	INFO	[beat]	instance/beat.go:919	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-10T01:19:06.14+02:00","name":"zwei-g-dc01","ip":["fd07:7100:1400:1::2/64","fe80::15b0:b300:b44a:793/64","192.168.8.2/22","::1/128","127.0.0.1/8","fe80::5efe:c0a8:802/128","fe80::100:7f:fffe/64"],"kernel_version":"6.1.7601.24524 (win7sp1_ldr_escrow.190916-1700)","mac":["00:50:56:bd:00:06","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"family":"windows","platform":"windows","name":"Windows Server 2008 R2 Standard","version":"6.1","major":1,"minor":0,"patch":0,"build":"7601.24533"},"timezone":"CET","timezone_offset_sec":3600,"id":"e8403c61-fd33-4443-b0be-7da2078f60ee"}}}
2019-11-07T13:40:28.433+0100	INFO	[beat]	instance/beat.go:948	Process info	{"system_info": {"process": {"cwd": "C:\\Windows\\system32", "exe": "C:\\Program Files\\winlogbeat\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 5904, "ppid": 492, "start_time": "2019-11-07T13:40:26.131+0100"}}}
2019-11-07T13:40:28.433+0100	INFO	instance/beat.go:292	Setup Beat: winlogbeat; Version: 7.4.2
2019-11-07T13:40:28.433+0100	INFO	[index-management]	idxmgmt/std.go:178	Set output.elasticsearch.index to 'winlogbeat-7.4.2' as ILM is enabled.
2019-11-07T13:40:28.433+0100	INFO	elasticsearch/client.go:170	Elasticsearch url: http://10.254.11.11:9200
2019-11-07T13:40:28.434+0100	INFO	[publisher]	pipeline/module.go:97	Beat name: server
2019-11-07T13:40:28.434+0100	INFO	beater/winlogbeat.go:69	State will be read from and persisted to C:\ProgramData\winlogbeat\.winlogbeat.yml
2019-11-07T13:40:28.451+0100	WARN	[cfgwarn]	registered_domain/registered_domain.go:58	BETA: The registered_domain processor is beta.
2019-11-07T13:40:28.451+0100	INFO	instance/beat.go:422	winlogbeat start running.
2019-11-07T13:40:28.451+0100	INFO	[monitoring]	log/log.go:118	Starting metrics logging every 30s
2019-11-07T13:40:28.455+0100	WARN	beater/eventlogger.go:108	EventLog[Microsoft-Windows-Sysmon/Operational] Open() error. No events will be read from this source. The specified channel could not be found. Check channel configuration.
2019-11-07T13:40:29.475+0100	INFO	pipeline/output.go:95	Connecting to backoff(elasticsearch(http://10.254.11.11:9200))
2019-11-07T13:40:29.475+0100	INFO	elasticsearch/client.go:743	Attempting to connect to Elasticsearch version 7.4.2
2019-11-07T13:40:29.515+0100	INFO	[index-management]	idxmgmt/std.go:252	Auto ILM enable success.
2019-11-07T13:40:29.515+0100	INFO	[index-management.ilm]	ilm/std.go:134	do not generate ilm policy: exists=true, overwrite=false
2019-11-07T13:40:29.515+0100	INFO	[index-management]	idxmgmt/std.go:265	ILM policy successfully loaded.
2019-11-07T13:40:29.515+0100	INFO	[index-management]	idxmgmt/std.go:394	Set setup.template.name to '{winlogbeat-7.4.2 {now/d}-000001}' as ILM is enabled.
2019-11-07T13:40:29.515+0100	INFO	[index-management]	idxmgmt/std.go:399	Set setup.template.pattern to 'winlogbeat-7.4.2-*' as ILM is enabled.
2019-11-07T13:40:29.515+0100	INFO	[index-management]	idxmgmt/std.go:433	Set settings.index.lifecycle.rollover_alias in template to {winlogbeat-7.4.2 {now/d}-000001} as ILM is enabled.
2019-11-07T13:40:29.515+0100	INFO	[index-management]	idxmgmt/std.go:437	Set settings.index.lifecycle.name in template to {winlogbeat-7.4.2 {"policy":{"phases":{"hot":{"actions":{"rollover":{"max_age":"30d","max_size":"50gb"}}}}}}} as ILM is enabled.
2019-11-07T13:40:29.515+0100	INFO	template/load.go:88	Template activedirectory already exists and will not be overwritten.
2019-11-07T13:40:29.515+0100	INFO	[index-management]	idxmgmt/std.go:289	Loaded index template.
2019-11-07T13:40:29.515+0100	INFO	[index-management]	idxmgmt/std.go:300	Write alias successfully generated.
2019-11-07T13:40:29.516+0100	INFO	pipeline/output.go:105	Connection to backoff(elasticsearch(http://10.254.11.11:9200)) established
2019-11-07T13:40:29.567+0100	INFO	beater/eventlogger.go:76	EventLog[Security] successfully published 43 events
2019-11-07T13:40:29.567+0100	INFO	beater/eventlogger.go:76	EventLog[System] successfully published 1 events
2019-11-07T13:40:30.491+0100	INFO	beater/eventlogger.go:76	EventLog[Security] successfully published 11 events
2019-11-07T13:40:30.492+0100	INFO	beater/eventlogger.go:76	EventLog[System] successfully published 1 events
2019-11-07T13:40:32.550+0100	INFO	beater/eventlogger.go:76	EventLog[Security] successfully published 20 events

I have test some different settings based on some topics of this forum and the manual but nothing works, it always send the information to the winlogbeat index and not to my custom one.

system · December 5, 2019, 12:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to configure winlogbeat to use existing index in elasticsearch Beats	5	511	October 4, 2018
Send custom logs to elasticsearch with predefined list of fields Beats filebeat	3	190	September 5, 2023
Create a custom index in winlogbeat using cloud.id Beats winlogbeat	3	406	May 30, 2019
Winlogbeat still creates default index when setting up to use a custom index Beats winlogbeat	1	490	July 20, 2022
Unable to change the default index in Winlogbeat.yaml Beats winlogbeat	15	2204	January 2, 2018

Winlogbeat dont use custom template

Related topics