Hello, we've just upgraded to winlogbeat 6.3.2 and I have uploaded the template and made the necessary change to the beats output in Logstash.
I can see events in Kibana but the host field is showing incorrectly, instead of simply showing the hostname it shows the below:
I did modify the index template to change the number of shards, my partial index template is below, I've had to cut it off after the relevant section as there are too many characters for this post:
PUT /_template/winlogbeat-6.3.2
{
"index_patterns": [
"winlogbeat-6.3.2-*"
],
"settings": {
"number_of_shards": "33",
"number_of_replicas": "0",
"index": {
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"refresh_interval": "5s"
}
},
"mappings": {
"doc": {
"dynamic_templates": [
{
"fields": {
"match_mapping_type": "string",
"path_match": "fields.*",
"mapping": {
"type": "keyword"
}
}
},
{
"docker.container.labels": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "docker.container.labels.*"
}
},
{
"event_data": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "event_data.*"
}
},
{
"user_data": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "user_data.*"
}
},
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"message": {
"type": "text",
"norms": false
},
"message_error": {
"type": "keyword",
"ignore_above": 1024
},
"record_number": {
"type": "keyword",
"ignore_above": 1024
},
"host": {
"properties": {
"name": {
"type": "keyword",
"ignore_above": 1024
},
"id": {
"type": "keyword",
"ignore_above": 1024
},
"architecture": {
"type": "keyword",
"ignore_above": 1024
},
"os": {
"properties": {
"version": {
"type": "keyword",
"ignore_above": 1024
},
"family": {
"type": "keyword",
"ignore_above": 1024
},
"platform": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
Can anyone help correct this?
Many thanks.