Hello,
I am using elasticstack v8. The messages are sent from winlogbeat -> logstash -> elastic. The message is arrived unparsed.
Logstash config:
input {
beats {
port => "5044"
client_inactivity_timeout => 360
ssl => true
ssl_cettificate => "/app/logstash/certs/${HOSTNAME}.cer"
ssl_key => "/app/logstash/certs/${HOSTNAME}-pkcs8.key"
tls_min_version => 1.2
}
}
filter {
mutate{ add_tag=> ["${PIPELINE_TAG}"] }
}
output {
elasticsearch {
hosts => ["https://X.X.X.X:9200","https://X.X.X.X:9200","https://X.X.X.X:9200"]
index => "winlogbeat-%{[@metadata][version]}"
user => "XX"
password => "XX"
ssl => true
ssl_certificate_verification => "true"
cacert => "/app/logstash/certs/ca/ca.cer"
manage_template => false
ilm_enabled => true
pipeline => "winlogbeat-8.0.0-routing"
}
}
winlogbeat config:
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Security
- name: System
- name: ForwardedEvents
tags: ["forwarder"]
setup.template.settings:
index.number_of_shards: 1
max_procs: 1
keystore.path: ${path.home}/winlogbeat.keystore
output.logstash:
hosts: ["https://server1:5044", "https://server2:5044"]
loadbalance : false
worker: 1
pipelining: 0
bulk_max_size: 2048
backoff.max: 300s
ssl:
enabled: true
verification_mode: full
supported_protocol: [TLSv1.2, TLSv1.3]
certificate_authorities: ${path.home}/rootCA.cer
processors:
- translate_sid:
field: winlog.event_data.MemberSid
account_name_target: user.name
domain_target: user.domain
ignore_missing: true
ignore_failure: true
I loaded the winlogbeat pipelines modules manually into elasticsearch with the
PS > command .\winlogbeat.exe setup --pipelines
The messages are received to elastic but they are not indexed
Any suggestions where I missed the configuration