Imported Dashboard cannot be seen

Hi,

I am using winlogbeat to send the security event to Kibana.
The dashboards were successfully imported through the API, however i cannot see them on Kibana Dashboards:

2021-03-10T14:53:48.453+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Initialize the Kibana 7.10.2 loader
2021-03-10T14:53:48.453+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Kibana URL https://kibana:5601
2021-03-10T14:53:49.867+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Importing directory C:\winlogbeat\kibana/7
2021-03-10T14:53:49.867+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Import directory C:\winlogbeat\kibana/7
2021-03-10T14:53:49.867+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Import dashboard from C:\winlogbeat\kibana\7\dashboard\Powershell-Overview-Dashboard.json
2021-03-10T14:53:50.870+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Import dashboard from C:\winlogbeat\kibana\7\dashboard\Winlogbeat-overview.json
2021-03-10T14:53:52.056+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Import dashboard from C:\winlogbeat\kibana\7\dashboard\winlogbeat-security-failed-blocked-accounts-tsvb.json
2021-03-10T14:53:53.949+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Import dashboard from C:\winlogbeat\kibana\7\dashboard\winlogbeat-security-failed-blocked-accounts.json
2021-03-10T14:53:57.087+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Import dashboard from C:\winlogbeat\kibana\7\dashboard\winlogbeat-security-group-management-tsvb.json
2021-03-10T14:53:57.920+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Import dashboard from C:\winlogbeat\kibana\7\dashboard\winlogbeat-security-group-management.json
2021-03-10T14:53:58.930+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Import dashboard from C:\winlogbeat\kibana\7\dashboard\winlogbeat-security-user-logons-tsvb.json
2021-03-10T14:53:59.949+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Import dashboard from C:\winlogbeat\kibana\7\dashboard\winlogbeat-security-user-logons.json
2021-03-10T14:54:00.967+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Import dashboard from C:\winlogbeat\kibana\7\dashboard\winlogbeat-security-user-management-tsvb.json
2021-03-10T14:54:01.981+0700 DEBUG [dashboards] dashboards/kibana_loader.go:156 Import dashboard from C:\winlogbeat\kibana\7\dashboard\winlogbeat-security-user-management.json
2021-03-10T14:54:06.127+0700 INFO instance/beat.go:830 Kibana dashboards successfully loaded.
2021-03-10T14:54:06.127+0700 INFO instance/beat.go:468 winlogbeat start running.

Hey @cavril ,

how you did install the winlogbeat? By following the guideline/steps on the Kibana UI? Did you use winlogbeat-oss ? ODFE works (or at least has been tested to work) with oss-like versions of beats and logstash. Reg. the configuration you should also follow the guidelines here: Troubleshoot - Open Distro for Elasticsearch Documentation, mainly disable:

 setup.ilm.enabled: false
 setup.ilm.check_exists: false

Maybe share your winlogbeat.yml so that we can help you with better troubleshooting.

Best,
Gezim

Hi @GezimSejdiu ,

I was previously connecting this winlogbeat to another ELK (not Opendistro) and it worked perfectly, so i just changed the output to target opendistro.
I installed this one: Winlogbeat

winlogbeat.event_logs:
- name: Application
ignore_older: 72h

- name: System

- name: Security
event_id: 4624, 4625, 4700-4800
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js

- name: Microsoft-Windows-Sysmon/Operational
processors:
- script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

- name: Windows PowerShell
event_id: 400, 403, 600, 800
processors:
- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106, 1149
processors:
- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

- name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
event_id: 1149
processors:
- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

- name: ForwardedEvents
tags: [forwarded]
processors:
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: {path.home}/module/security/config/winlogbeat-security.js \- script: when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational lang: javascript id: sysmon file: {path.home}/module/sysmon/config/winlogbeat-sysmon.js
- script:
when.equals.winlog.channel: Windows PowerShell
lang: javascript
id: powershell
file: {path.home}/module/powershell/config/winlogbeat-powershell.js \- script: when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational lang: javascript id: powershell file: {path.home}/module/powershell/config/winlogbeat-powershell.js

# ====================== Elasticsearch template settings =======================

setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false

# ================================= Dashboards =================================
setup.dashboards.enabled: true

# =================================== Kibana ===================================

setup.kibana:
host: “https://kibana:5601
username: “apikibana”
password: “xxxxxxx”
ssl.certificate_authorities: [“C:/winlogbeat/cert/elasticsearch-ca.pem”]

# ================================== Outputs ===================================

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
#hosts: [“localhost:9200”]
hosts: “10.10.X.X:9200”
username: “xxxx”
password: “xxxx”

# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
#- add_cloud_metadata: ~

# ================================== Logging ===================================

logging.level: debug

Hey @cavril ,

so, yes you are using the licensed one: License: Elastic License and not the one I just shared: winlogbeat-oss. I would suggest that you try to re-isntall winlogbeat using the oss version and also configure those settings I just shared above with you: Troubleshoot - Open Distro for Elasticsearch Documentation and add them here:

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
#hosts: [“localhost:9200”]
hosts: “10.10.X.X:9200”
username: “xxxx”
password: “xxxx”

b.t.w when you say hosts: “10.10.X.X:9200” it will choose HTTP protocol, right? And ODFE by default is using HTTP(s) via TLS/SSL (of course with demo certificates).

I can’t reproduce this now but if I manage to find some more spare time, maybe I can give it a try.

Thank you for for highlights between the licensing explanation.
My elasticsearch is not exposed with https and the http output is working perfectly.
I was able to create index pattern, dashboard but the publishing of the dashboard does not appear on Kibana.
So i am not sure about which role mapping or permission is required to be able to see them.

Kibana has internal and ldap authentication mechanism