Step 4: Loading the Index Template in Elasticsearch

edit

Step 4: Loading the Index Template in Elasticsearch

edit

In Elasticsearch, index templates are used to define settings and mappings that determine how fields should be analyzed.

The recommended template file is installed by the Winlogbeat packages. You can either configure Winlogbeat to load the template automatically, or you can load the template manually.

Configuring Template Loading

edit

To configure Winlogbeat to load the template, you must enable the Elasticsearch output. In the Winlogbeat configuration file, uncomment the template part under elasticsearch section. By default the template is named winlogbeat. Adjust the path to your template file.

output:
  elasticsearch:
    hosts: ["localhost:9200"]

    # A template is used to set the mapping in Elasticsearch
    # By default template loading is disabled and no template is loaded.
    # These settings can be adjusted to load your own template or overwrite existing ones
    template:

      # Template name. By default the template name is winlogbeat.
      #name: "winlogbeat"

      # Path to template file
      path: "winlogbeat.template.json"

      # Overwrite existing template
      #overwrite: false

The template is loaded when you start Winlogbeat. By default, if a template already exists in the index, it is not overwritten. To overwrite an existing template, set overwrite: true in the configuration file.

The options for auto loading the template are not supported if you are using the Logstash output.

Loading the Template Manually

edit

You can load the template by running the following command:

win:

PS C:\Program Files\Winlogbeat> Invoke-WebRequest -Method Put -InFile winlogbeat.template.json -Uri http://localhost:9200/_template/winlogbeat?pretty

where localhost:9200 is the IP and port where Elasticsearch is listening.

If you’ve already used Winlogbeat to index data into Elasticsearch, the index may contain old documents. After you load the index template, you can delete the old documents from winlogbeat-* to force Kibana to look at the newest documents. Use this command:

curl -XDELETE 'http://localhost:9200/winlogbeat-*'