Hi all, I am trying to setup my elastic server running logstash, kibana and elasticsearch (installed via a binami package)
Everything is running ok but when trying to gather windows logs from a machine using winlogbeat it seems a log is only coming through once every 24 hours, so when i goto create the index it only shows one log per day, which is also reflected in the discovery tab, with the @timestamp selected on the index i only ever see one log on the screen.
the winlogbeat setup is very basic
winlogbeat.event_logs:
name: Application
ignore_older: 48h
name: Security
ignore_older: 48h
name: System
ignore_older: 48h
the only other part setup was the logstash output which is as follows
So i havent configured anything for Logstash, only for the winlogbeat agent on the server to monitor, maybe this is what I am missing but nothing so far in the reading has mentioned this ?
so to answer your question it would be completely default at the moment. I've found the yml file in the logstash config directory and everything is currently commented out.
oh ok maybe we are getting somewhere - if i change winlogbeat to send straight to elasticsearch and not logstash everything is now coming through, the indexing also shows winlogbeat and not logstash.
so do I leave it as this or should i be sending it via logstash ?
thanks, ill take a look. Do you have any good resources for learning how to visualise the data? so for example i would like to see failed logon attempts and times or those attempts etc ?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.