Versions
winlogbeat 7.12.1 oss
OpenSearch 2.18.0
Dashboard 2.18.0
Server OS - Windows server 2022
Browser - Mozilla Firefox
Describe the issue:
I want to use opensearch to collect windows event log , by using winlogbeat i can send logs to opensearch (it work), then use the alertig system with sigma rules for windows to analyze and send a message through webhook, i’m able to define all and send test message, but when try to save, receive the message on dashboard:
[alerting_exception] Invalid owner field
Configuration:
winlogbeat.yml
winlogbeat.event_logs:
- name: ForwardedEvents
setup.template.name: "windowsserver2idx"
setup.template.pattern: "windowsserver2idx-*"
setup.template.overwrite: false
setup.template.settings:
index.number_of_shards: 1
output.elasticsearch:
hosts: ["localhost:9200"]
index: "windowsserver2idx-%{+yyyy.MM}"
protocol: "https"
ssl.certificate: esnode.pem
ssl.key: esnode-key.pem
ssl.certificate_authorities: [root-ca.pem]
username: admin
password: Password123!
logging.to_files: true
logging.files:
path: C:\winlogbeat-7.12.1\logs
logging.level: debug
. opensearch.yml
compatibility.override_main_response_version: true
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: ['CN=admin,OU=client,O=client,L=test,C=de']
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
.plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
.plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
.plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
.opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
.opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
.opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
.opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
.geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
.plugins-flow-framework-state]
node.max_local_storage_nodes: 3
logger.org.opensearch: info
-opensearch_dashboard.yml
opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.multitenancy.enable_filter: false