I can see the index has been made here, but it looks like theres 0 documents in it.
But for some reason its not showing up here
I have run the command .\winlogbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["xxx.xx.xx.xx:9200"]' with the elasticsearch output. From my winlogbeat logs it looks like it connects to the logstash instance just fine and is publishing logs.
Logstash is not complaining either and is connecting to the elasticsearch instance. Kibana also connect to ES just fine, but for some reason i cant find the logs from winlogbeat anywhere
i tried reloading the indices under Index Management but nothing happens.
I want use the SIEM app, but i cant get the logs in there.
I can even see this in my elasticsearch logs
So my guess is that its logstash that isnt forwarding the logs to ES correctly, and the index was created when i used the setup command around logstash.
My logstash log looks like this:
Sorry i cant copy paste from the virtual machine, so i had to take snippets of all the logs instead.
If you need more info to help, please let me know.