Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question about restarting service of winlogbeat & packetbeat #39

Closed
gggaaammm opened this issue Mar 17, 2021 · 1 comment
Closed

Question about restarting service of winlogbeat & packetbeat #39

gggaaammm opened this issue Mar 17, 2021 · 1 comment
Labels
109-2-pj1 Hint

Comments

@gggaaammm
Copy link

gggaaammm commented Mar 17, 2021
edited
Loading

Hello TAs,
I managed to change fields.hostname after reading #16

When I restart services of winlogbeat and packetbeat,
Kibana create a new index pattern, yet the number of the fields seems different.

My winlogbeat.yml

#---------fields---------
fields:
hostname: _309551108
#----------kibana---------
setup.kibana:
host: "192.168.66.1:5601"
username: "admin"
username: "admin"
#------Logstash Output ----------
output.logstash:
hosts: ["192.168.66.1:5044"]
username: "admin"
password: "admin"

my first winlogbeat patterns: 679 fields

image

my first packetbeat patterns: 93 fields

image

After restarting service , new index patterns: 340 fields

image
(changing hostname of both winlogbeat and packet)

The Problems

  1. the old winlogbeat pattern still receive some winlogbeat data(the hostname is still unknown)
    image

  2. new index patterns seems to only accept packetbeat's data(the hostname shows correctly)
    image

My questions

My question is as follows:

  1. Do winlogbeat & packetbeat's data can send to the same index pattern? If so, how to distinguish them?
  2. Why the hostname is still unknown after changing fields in winlogbeat.yml?
  3. the cmd ./winlogbeat.exe setup -e will prompt out error(like the pictures below), but cmd ./winlogbeat.exe -e or "Start-Service winlogbeat" works properly, did the system reject winlogbeat.yml after changing the hostname or did anything I miss?
    image

Reply or discussion is appreciated, thanks!
@dsnslab
Copy link
Owner

dsnslab commented Mar 18, 2021
edited
Loading

  1. Yes, they can be sent to same index pattern. You can observe the fields to distinguish them.
    Alternatively, you can setup different fields.logtag field for winlogbeat's and packetbeat's configuration.
    The index naming format is stated in logstash's pipeline configuration in elastic.zip.
  2. Check if the configuration for winlogbeat is valid and remember to restart the service
  3. The error is expected since that command is used to setup Index Management which needs the configuration of output.elasticsearch. You could setup the index pattern via Kibana's web interface, so you don't need to run that command. Make sure that ./winlogbeat.exe -e shows no error message.

@dsnslab dsnslab mentioned this issue Mar 19, 2021
Closed
@dsnslab dsnslab added the Hint label Mar 19, 2021
@dsnslab dsnslab mentioned this issue Mar 23, 2021
Closed
@dsnslab dsnslab closed this as completed Mar 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
109-2-pj1 Hint
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gggaaammm @dsnslab