Hi,
I've setup winlogbeat and have the dashboard setup in Kibana. But I'm not seeing all the data in the dashboard instead getting these errors.
winlogbeat config
winlogbeat.event_logs:
- name: Security
event_id: 4740,4728,4732,4756,4735,4724,4625,4648,1102,4624,5038,6281
ignore_older: 72h- name: Application
event_id: 1000,1002,1001
ignore_older: 72h- name: "Microsoft-Windows-TaskScheduler/Operational"
event_id: 141,106,142,140,129
ignore_older: 72h- name: System
event_id: 104,102,1102,4719,6005,7022,7023,7024,7025,7026,7031,7032,7034,7045,4697,7022,7023,104,6
ignore_older: 72h- name: "Microsoft-Windows-Application-Experience/Program-Inventory"
event_id: 903,904
ignore_older: 72h- name: "Microsoft-Windows-Sysmon/Operational"
ignore_older: 72h- name: "Microsoft-Windows-TerminalServices-RDPClient/Operational,Microsoft-Windows-TerminalServices-LocalSessionManager/Admin,Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
event_id: 23,24,25,1102
ignore_older: 72h- name: "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity,Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose,Microsoft-Windows-Windows Firewall With Advanced Security/Firewall,Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose,Microsoft-Windows-Windows Firewall With Advanced Security/Network Isolation Operational"
event_id: 2004,2005,2006,2033,2009
ignore_older: 72h- name: "Microsoft-Windows-WindowsUpdateClient/Operational"
event_id: 20,24,25,31,34,35
ignore_older: 72h
setup.template.settings:
index.number_of_shards: 1setup.dashboards.enabled: true
setup.kibana:
host: "http://10.230.10.18:80"output.logstash:
hosts: ["10.230.10.18:5044"]
index: winlogbeat
Really appreciate your time here,
-Luka