4
responses
responses
I'm attempting to demo xnlog and running into a problem where the Windows Server 2016 event logs are being sent to AWS ElasticSearch Service with the EventTime being a string. This basically renders it impossible to index the logs, as the Kibana board requires a time-field name and is not recongizing the string as a datetime. Any suggestions on this, or is this a potential bug with Server 2016?
Comments (3)
Here's my current configuration:
This is the output that ElsaticSearch Service is receiving for the EventReceivedTime and EventTime:
Note: before proceeding, check if you have the right mapping in place (i.e. EventTime is mapped as a date)
curl -XGET 'localhost:9200/_template'
The output should contain something like this:
If your mapping looks OK, then read on...
I tried to run a quick test with your config, but unfortunately my Elasticsearch is running in developer mode, so I cannot address it directly from an outside source (long story short: it's running in a non-privileged container) and thus I cannot access it directly from a Windows 2012 box.
But I can and do use an Nxlog instance in the same container to accept events from the Windows server. What I have is basically a KEN stack (Kibana, Elasticsearch, Nxlog) in a container receiving om_tcp (binary) data and feeding it to ES. This way the EventTime field is treated properly as a date data type.
Nxlog conf on the KEN server:
I'm not suggesting that this is the right (let alone only) way to go, but you can use a similar config to check if Windows 2016 events are received correctly and if you are in a time crunch wrt your demo, it can be a workaround for your problem.
Thank you. I was missing the default mappings in the ElasticSearch. Once I added that, everything seems to be working as expected now.