Can't get winlogbeat to send logs

Hello, all.

In my continuing quest to get ELK 5.x set up, I've managed to get logstash, filebeat, and topbeat logging working. However, despite hours and hours spent researching the issue, then trying every tweak under the sun, I can't get winlogbeat to work. I'm trying to use logstash output. At the sending host, this is what I see in the winlogbeat log:

14T15:13:14.543713Z","uptime":"7m30.0197865s","uptime_ms":"450019786"}
2017-06-14T11:20:47-04:00 ERR Connecting error publishing events (retrying): dial tcp 10.0.10.101:5044: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

This is from winlogbeat.yml, with the understanding that it started simple, and I've added a bunch of stuff to try to get it working:

output.logstash:

The Logstash hosts

hosts: ["10.0.010.101:5044"]
template.name: "winlogbeat"
template.path: "winlogbeat.template.json"
template.overwrite: false
dashboards.enabled: true
index: "winlogbeat"
ssl.certificate_authorities: ["C:/Program Files/winlogbeat/ELK.crt"]

Running "curl http://10.0.101.101:9200/_cat/indices" shows no winlogeat indices.

From that box, I can ping the ELK server, telnet to port 5044. There's no firewall blocking connectivity. Can anyone help. I'll post whatever else you might require to help me.

Thanks.

Diggy

Please post your Logstash config and the output of sudo netstat -anp | grep 5044 from the Logstash host.

Hi, Andrew.

Results of netstat -anp | grep 5044:

tcp 0 0 0.0.0.0:5044 0.0.0.0:* LISTEN 10791/java
tcp 0 0 10.0.101.101:5044 69.25.193.192:34680 ESTABLISHED 10791/java
tcp 0 0 10.0.101.101:5044 69.25.192.67:47870 ESTABLISHED 10791/java

The last two lines are filebeat connections from a couple of machines (.

My configuration is from my ELK 2.x instance (which worked great, btw), and is broken into three files - one each for input, filtering, and output. The filtering config is a bit longish, so I posted them all here: https://pastebin.com/zPSyCkX8 . Hope it's not a huge pita.

Thanks so much.

That all looks normal. I think I would do a tcpdump on the Logstash host to see what's sent from the Windows host. Then take a look at the pcap file with Wireshark.

sudo tcpdump -i eth0 -w mycap.pcap host <windows-ip> and port 5044

Did you misconfigure the IP address in the Winlogbeat config file?

10.0.101.101:5044
10.0.10. 101:5044

Andrew, thanks for the catch - all good now! I actually believe that the latest winlogbeat configuration that I did was the one that worked.

Thanks, again.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.