Winlogbeat not working

#1

Elasticsearch and Search Guard version : 6.3.2

Entreprise Module : Disabled

JVM Version : 1.8.0_111

Operating System : Debian 9

Hello

I have SeachGuard with Kibana and Elasticsearch (No Logstash).
I also have a winlogbeat agent which do not send anything to my Elasticsearch.

I put this into my winlogbeat file :

output.elasticsearch:
username: kibanaserver
password: kibanaserver
protocol: https
hosts: [“ip_address:9200”]
ssl.certificate_authorities:
-C:\Program Files\Winlogbeat\root-ca.cer

As i said before, i didn’t get any entry on kibana discovery.

Can you help me please ?

0 Likes

#2

I think you are not using the correct user for running Beats. You have configured:

The kibanaserver user is only useful for running Kibana.

What you need is a user that has permissions to write to the index that Beats is using. We have just recently published an article about ingestion with Beats and logstash, this should explain the required steps:

0 Likes

assigned jkressin #3
0 Likes

#4

Thank you for your reply.

I have tested with the admin account when it ask for Kibana output and elasticsearch output and it works great !

However is there a more suitable account for this task ? I don’t use Logstash so is there an account without “logstash” ?

0 Likes

#5

There is no built-in role for a “Beats only” user. However, the setup is pretty straight forward and you can use the sg_logstash role as a template. Just remove all permissions for the logstash indices and leave everything else in place, like:

sg_beats:  
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - indices:admin/template/get
    - indices:admin/template/put
  indices:
    '*beat*':
      '*':
        - CRUD
        - CREATE_INDEX

The create a user and map it to the sg_beats role via the roles mapping.

0 Likes