Winlogbeat output config problems

Hi everyone!
I have installed in a VMWare machine the Security Onion OS. On the same machine i have installed winlogbeat and i'm having problems with the yml file.
When i execute this command ./winlogbeat test config
i get this response: Exiting: No outputs are defined. Please define one under the output section.

The code i'm using is this

###################### Winlogbeat Configuration Example ##########################
# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
#======================= Winlogbeat specific options ==========================
# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
 winlogbeat.event_logs:
 — name: Application
 ignore_older: 72h
- name: Security
- name: System
- name: Windows PowerShell
- name: Internet Explorer
- name: OpenSSH/Operational
- name: OpenSSH/Admin
- name: Microsoft-Windows-Winlogon/Operational
- name: Microsoft-Windows-Windows Defender/WHC
- name: Microsoft-Windows-Windows Defender/Operational
- name: Microsoft-Windows-PowerShell/Operational
- name: Microsoft-Windows-PowerShell/Admin
- name: Microsoft-Windows-LSA/Operational
- name: AMSI/Operational
- name: Microsoft-Windows-Sysmon/Operational
 processors:
 -script:
 lang: javascript
 id: sysmon
 file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
#==================== Elasticsearch template setting ==========================
setup.template.settings:
 index.number_of_shards: 3
 #index.codec: best_compression
 #_source.enabled: false
#================================ General =====================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: [“service-X”, “web-tier”]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: true
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
#setup.kibana:
# Kibana Host
 # Scheme and port can be left out and will be set to the default (http and 5601)
 # In case you specify and additional path, the scheme is required: http://localhost:5601/path
 # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
 #host: “192.168.1.125:5601”
# Kibana Space ID
 # ID of the Kibana Space into which the dashboards should be loaded. By default,
 # the Default Space will be used.
 #space.id:
#============================= Elastic Cloud ==================================
# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
#================================ Outputs =====================================
# Configure what output to use when sending the data collected by the beat.
# — — — — — — — — — — — — — Elasticsearch output — — — — — — — — — — — — — — — 
#output.elasticsearch:
 # Array of hosts to connect to.
 #hosts: [“localhost:9200”]
# Enabled ilm (beta) to use index lifecycle management instead daily indices.
 #ilm.enabled: false
# Optional protocol and basic auth credentials.
 #protocol: “https”
 #username: “elastic”
 #password: “changeme”
# — — — — — — — — — — — — — — — Logstash output — — — — — — — — — — — — — — — — 
output.logstash:
 # The Logstash hosts
 hosts: [“127.0.0.1:5044”]
 #loadbalance: true
# Optional SSL. By default is off.
 # List of root certificates for HTTPS server verifications
 #ssl.certificate_authorities: [“/etc/pki/root/ca.pem”]
# Certificate for SSL client authentication
 #ssl.certificate: “/etc/pki/client/cert.pem”
# Client Certificate Key
 #ssl.key: “/etc/pki/client/cert.key”
#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
 — add_host_metadata: null
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use [“*”]. Examples of other selectors are “beat”,
# “publish”, “service”.
#logging.selectors: [“*”]
#============================== Xpack Monitoring ===============================
# winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:

Anyone knows how to resolve this problem?
Thanks

Probably a formatting issue. Try this.

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System
  - name: Windows PowerShell
  - name: Internet Explorer
  - name: OpenSSH/Operational
  - name: OpenSSH/Admin
  - name: Microsoft-Windows-Winlogon/Operational
  - name: Microsoft-Windows-Windows Defender/WHC
  - name: Microsoft-Windows-Windows Defender/Operational
  - name: Microsoft-Windows-PowerShell/Operational
  - name: Microsoft-Windows-PowerShell/Admin
  - name: Microsoft-Windows-LSA/Operational
  - name: AMSI/Operational
  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
output.logstash:
  hosts:
    - 127.0.0.1:5044
processors:
  - add_host_metadata: null

Now the error i get is:
Exiting: Index management requested but the Elasticsearch output is not configured/enabled

What version?

Try adding:

setup.ilm.enabled: false

I've added the command before and after (trying different modes) and the result is the same:
Exiting: Index management requested but the Elasticsearch output is not configured/enabled

The version i'm running is:
winlogbeat version 7.16.3 (amd64), libbeat 7.16.3

   processors:
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

setup.ilm.enabled: false

output.logstash:
  hosts:
    - 127.0.0.1:5044

And this is when you try to run Winlogbeat? As in .\winlogbeat run -e? Or are you using some non-default subcommand like setup?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.