From 7b539dfbb6e5f43d16dd9c71beb7144d57ed2ce6 Mon Sep 17 00:00:00 2001
From: DeDe Morton <dede.morton@elastic.co>
Date: Mon, 12 Sep 2016 18:20:21 -0700
Subject: [PATCH 1/3] Add misc content changes

---
 filebeat/docs/faq.asciidoc                          | 13 +++++++++++++
 .../configuration/filebeat-options.asciidoc         |  4 +++-
 libbeat/docs/shared-command-line.asciidoc           |  8 ++++++++
 winlogbeat/docs/fields.asciidoc                     |  2 +-
 winlogbeat/etc/fields.yml                           |  7 +++++--
 5 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/filebeat/docs/faq.asciidoc b/filebeat/docs/faq.asciidoc
index fdf55e3ed72..c1646ed1d2b 100644
--- a/filebeat/docs/faq.asciidoc
+++ b/filebeat/docs/faq.asciidoc
@@ -46,6 +46,19 @@ config file. Setting `scan_frequency` to less than 1s may cause Filebeat to scan
 
 The index template might not be loaded correctly. See <<filebeat-template>>.
 
+[float]
+[[fields-not-indexed]]
+=== Fields are not indexed or usable in Kibana visualizations?
+
+If you have recently performed an operation that loads or parses custom, structured logs,
+you might need to refresh the index to make the fields available in Kibana. To refresh
+the index, use the {elasticsearch}/indices-refresh.html[refresh API]. For example:
+
+["source","sh"]
+----------------------------------------------------------------------
+curl -XPOST 'http://localhost:9200/filebeat-2016.08.09/_refresh'
+----------------------------------------------------------------------
+
 [float]
 [[newline-character-required-eof]]
 === Filebeat isn't shipping the last line of a file?
diff --git a/filebeat/docs/reference/configuration/filebeat-options.asciidoc b/filebeat/docs/reference/configuration/filebeat-options.asciidoc
index f724588e56b..0734d343e3d 100644
--- a/filebeat/docs/reference/configuration/filebeat-options.asciidoc
+++ b/filebeat/docs/reference/configuration/filebeat-options.asciidoc
@@ -35,7 +35,9 @@ The value that you specify here is used as the `input_type` for each event publi
 
 ===== paths
 
-A list of glob-based paths that should be crawled and fetched. Filebeat starts a harvester for
+A list of glob-based paths that should be crawled and fetched. Filebeat supports all glob patterns that are supported by https://golang.org/pkg/path/filepath/#Glob[Golang Glob].
+
+Filebeat starts a harvester for
 each file that it finds under the specified paths. You can specify one path per line. Each line begins with a dash (-).
 
 ===== encoding
diff --git a/libbeat/docs/shared-command-line.asciidoc b/libbeat/docs/shared-command-line.asciidoc
index d0ac0eca35c..07723b95e8d 100644
--- a/libbeat/docs/shared-command-line.asciidoc
+++ b/libbeat/docs/shared-command-line.asciidoc
@@ -9,6 +9,14 @@
 //// include::../../libbeat/docs/shared-command-line.asciidoc[]
 //////////////////////////////////////////////////////////////////////////
 
+*`-E <setting>=<value>`*::
+Overwrite an individual setting in the config file. For example:
++
+["source","sh"]
+----------------------------------------------------------------------
+sudo ./packetbeat -c packetbeat.yml -E name=mybeat
+----------------------------------------------------------------------
+
 *`-N`*::
 Disable the publishing of events to the defined output. This option is useful only
 for testing the Beat.
diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc
index a0b3eb8200a..74f7107b326 100644
--- a/winlogbeat/docs/fields.asciidoc
+++ b/winlogbeat/docs/fields.asciidoc
@@ -114,7 +114,7 @@ type: dict
 
 required: False
 
-The event specific data. This field is mutually exclusive with `user_data`.
+The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log messages are unnamed in earlier versions of Windows. 
 
 
 [float]
diff --git a/winlogbeat/etc/fields.yml b/winlogbeat/etc/fields.yml
index 58841905bfb..d3359f25aae 100644
--- a/winlogbeat/etc/fields.yml
+++ b/winlogbeat/etc/fields.yml
@@ -42,8 +42,11 @@
       dict-type: keyword
       required: false
       description: >
-        The event specific data. This field is mutually exclusive with
-        `user_data`.
+        The event-specific data. This field is mutually exclusive with
+        `user_data`. If you are capturing event data on versions prior
+        to Windows Vista, the parameters in `event_data` are named `param1`,
+        `param2`, and so on, because event log messages are unnamed in
+        earlier versions of Windows. 
 
     - name: event_id
       type: long

From eed2726bcafbc061443a6ae721498e4ef016a675 Mon Sep 17 00:00:00 2001
From: DeDe Morton <dede.morton@elastic.co>
Date: Mon, 12 Sep 2016 18:30:14 -0700
Subject: [PATCH 2/3] Remove root CA restriction

---
 libbeat/docs/shared-ssl-logstash-config.asciidoc | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/libbeat/docs/shared-ssl-logstash-config.asciidoc b/libbeat/docs/shared-ssl-logstash-config.asciidoc
index 1b940aefb88..a9eea1339be 100644
--- a/libbeat/docs/shared-ssl-logstash-config.asciidoc
+++ b/libbeat/docs/shared-ssl-logstash-config.asciidoc
@@ -18,18 +18,12 @@ To use SSL mutual authentication:
 . Create a certificate authority (CA) and use it to sign the certificates that you plan to use for
 {beatname_uc} and Logstash. Creating a correct SSL/TLS infrastructure is outside the scope of this
 document. There are many online resources available that describe how to create certificates, including the section in the {security} documentation about {securitydoc}/certificate-authority.html[setting up a certificate authority].
-+
-NOTE: Certificates must be signed by your root CA. Intermediate CAs are currently not supported.
 
 . Configure {beatname_uc} to use SSL. In the +{beatname_lc}.yml+ config file, specify the following settings under
 `ssl`:
 +
 * `certificate_authorities`: Configures {beatname_uc} to trust any certificates signed by the specified CA. If
 `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used.
-+
-Although  intermediate CAs are currently not supported, you may be able to work around this issue by merging all the
-certificates in the chain into one file. You can create the PEM file containing the CA chain by concatenating the root CA
-cert and the intermediate CA into a single file: `cat root-ca.crt intermediate-ca.crt > chain.crt`. Then set `certificate_authorities` to use this file: `certificate_authorities: ['chain.crt']`.
 
 * `certificate` and `key`: Specifies the certificate and key that {beatname_uc} uses to authenticate with
 Logstash.
@@ -73,7 +67,7 @@ input {
 ------------------------------------------------------------------------------
 +
 For more information about these options, see the
-https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html[documentation] for the Beats input plugin.
+https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html[documentation for the Beats input plugin].
 
 [float]
 [[testing-ssl-logstash]]

From 816335bc214bc43b68f5a7a4dc39c7ca45458433 Mon Sep 17 00:00:00 2001
From: DeDe Morton <dede.morton@elastic.co>
Date: Thu, 15 Sep 2016 22:26:50 -0700
Subject: [PATCH 3/3] Fix event_data description

---
 winlogbeat/docs/fields.asciidoc | 2 +-
 winlogbeat/etc/fields.yml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc
index 74f7107b326..a8a370b15c0 100644
--- a/winlogbeat/docs/fields.asciidoc
+++ b/winlogbeat/docs/fields.asciidoc
@@ -114,7 +114,7 @@ type: dict
 
 required: False
 
-The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log messages are unnamed in earlier versions of Windows. 
+The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. 
 
 
 [float]
diff --git a/winlogbeat/etc/fields.yml b/winlogbeat/etc/fields.yml
index d3359f25aae..fa10dcfacf8 100644
--- a/winlogbeat/etc/fields.yml
+++ b/winlogbeat/etc/fields.yml
@@ -45,7 +45,7 @@
         The event-specific data. This field is mutually exclusive with
         `user_data`. If you are capturing event data on versions prior
         to Windows Vista, the parameters in `event_data` are named `param1`,
-        `param2`, and so on, because event log messages are unnamed in
+        `param2`, and so on, because event log parameters are unnamed in
         earlier versions of Windows. 
 
     - name: event_id