In Elasticsearch, index templates are used to define settings and mappings that determine how fields should be analyzed.
The recommended index template file for Winlogbeat is installed by the Winlogbeat packages. If you accept
the default configuration for template loading in the
winlogbeat.yml config file,
Winlogbeat loads the template automatically after successfully connecting to Elasticsearch. If the template
already exists, it’s not overwritten unless you configure Winlogbeat to do so.
If you want to disable automatic template loading, or you want to load your own template, you can change the settings for template loading in the Winlogbeat configuration file. If you choose to disable automatic template loading, you need to load the template manually. For more information, see:
By default, Winlogbeat automatically loads the recommended template file,
if Elasticsearch output is enabled. You can configure winlogbeat to load a different template
by adjusting the
template.path options in
output.elasticsearch: hosts: ["localhost:9200"] template.name: "winlogbeat" template.path: "winlogbeat.template.json" template.overwrite: false
By default, if a template already exists in the index, it is not overwritten. To overwrite an existing
template.overwrite: true in the configuration file.
To disable automatic template loading, comment out the template part under the Elasticsearch output.
The options for auto loading the template are not supported if you are using the Logstash output.
If you disable automatic template loading, you need to run the following command to load the template:
PS C:\Program Files\Winlogbeat> Invoke-WebRequest -Method Put -InFile winlogbeat.template.json -Uri http://localhost:9200/_template/winlogbeat?pretty
localhost:9200 is the IP and port where Elasticsearch is listening.
If you’ve already used Winlogbeat to index data into Elasticsearch, the index may contain old documents. After you load the index template, you can delete the old documents from winlogbeat-* to force Kibana to look at the newest documents. Use this command:
curl -XDELETE 'http://localhost:9200/winlogbeat-*'