- Winlogbeat Reference: other versions:
- Winlogbeat Overview
- Quick start: installation and configuration
- Set up and run
- Upgrade
- Configure
- Winlogbeat
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Instrumentation
- winlogbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Bogus computer_name fields are reported in some events
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Not sure how to read from .evtx files
- Contribute to Beats
Load ingest pipelines
editLoad ingest pipelines
editWinlogbeat modules are implemented using Elasticsearch ingest node pipelines. The events receive their transformations within Elasticsearch. The ingest node pipelines must be loaded into Elasticsearch. This can happen one of several ways.
On connection to Elasticsearch
editWinlogbeat will send ingest pipelines automatically to Elasticsearch if the Elasticsearch output is enabled.
Make sure the user specified in winlogbeat.yml
is
authorized to set up Winlogbeat.
If Winlogbeat is sending events to Logstash or another output you need
to load the ingest pipelines with the setup
command or manually.
setup command
editOn a machine that has Winlogbeat installed and has Elasticsearch configured
as the outup, run the setup
command with the --pipelines
option
specified. For example, the following command loads the ingest
pipelines:
PS > .\winlogbeat.exe setup --pipelines
Make sure the user specified in winlogbeat.yml
is
authorized to set up Winlogbeat.
Manually install pipelines
editOn a machine that has Winlogbeat installed export the the pipelines
to disk. This can be done with the export
command with pipelines
option specified. For example, the following command exports the
ingest pipelines:
PS> .\winlogbeat.exe export pipelines --es.version=7.16.0
Once the pipelines have been exported you can load them into Elasticsearch with
the _ingest/pipeline
REST API call. The user making the REST API
call will need to have the ingest_admin
role assigned to them.