Skip to content

Instantly share code, notes, and snippets.

@SyeedHasan

SyeedHasan/Winlogbeat Configuration.md

Last active May 29, 2021 17:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save SyeedHasan/a759c315ea57868e25f31f9c041634f9 to your computer and use it in GitHub Desktop.
Save SyeedHasan/a759c315ea57868e25f31f9c041634f9 to your computer and use it in GitHub Desktop.
Download ZIP
Winlogbeat tweaks
Raw
Winlogbeat Configuration.md

Winlogbeat Custom Template Naming

Steps

  1. Update the 'index' field in output.elasticsearch [e.g. win-host-%{yyyy-mm-dd}]
  2. Update the 'setup.template.name' and 'setup.template.pattern' accordingly [e.g., win- and win-*]
  3. Disable ILM because custom template naming won't work if this is enabled i.e., setup.ilm.enabled: false
  4. Load the custom template: .\winlogbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["192.168.18.110:1337"]'
  5. Restart the winlogbeat service

"Unindexed fields are not available for searching"

Refresh the indexes such that the updated mapping can apply to the indexes. Use the refresh API using: GET /win-*/_refresh

@SyeedHasan
Copy link
Author

Blog on the same topic:
https://discuss.elastic.co/t/how-can-i-change-winlogbeat-name-in-template-name/98442/10

@SyeedHasan
Copy link
Author

Helpful SO article:
https://stackoverflow.com/questions/62115650/filebeat-is-not-creating-index-with-my-name

@SyeedHasan
Copy link
Author

Helpful articles on configuring Winlogbeat:
https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment