This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Load Kibana dashboards Use environment variables in the configuration »
Elastic Docs Winlogbeat Reference [master] How to guides

Load ingest pipelines

edit

Load ingest pipelines

edit

Winlogbeat modules are implemented using Elasticsearch ingest node pipelines. The events receive their transformations within Elasticsearch. The ingest node pipelines must be loaded into Elasticsearch. This can happen one of several ways.

On connection to Elasticsearch

edit

Winlogbeat will send ingest pipelines automatically to Elasticsearch if the Elasticsearch output is enabled.

Make sure the user specified in winlogbeat.yml is authorized to set up Winlogbeat.

If Winlogbeat is sending events to Logstash or another output you need to load the ingest pipelines with the setup command or manually.

setup command

edit

On a machine that has Winlogbeat installed and has Elasticsearch configured as the output, run the setup command with the --pipelines option specified. For example, the following command loads the ingest pipelines:

PS > .\winlogbeat.exe setup --pipelines

Make sure the user specified in winlogbeat.yml is authorized to set up Winlogbeat.

Manually install pipelines

edit

On a machine that has Winlogbeat installed export the the pipelines to disk. This can be done with the export command with pipelines option specified. For example, the following command exports the ingest pipelines:

PS> .\winlogbeat.exe export pipelines --es.version=7.16.0

Once the pipelines have been exported you can load them into Elasticsearch with the _ingest/pipeline REST API call. The user making the REST API call will need to have the ingest_admin role assigned to them.

« Load Kibana dashboards Use environment variables in the configuration »