In my continuing quest to get ELK 5.x set up, I've managed to get logstash, filebeat, and topbeat logging working. However, despite hours and hours spent researching the issue, then trying every tweak under the sun, I can't get winlogbeat to work. I'm trying to use logstash output. At the sending host, this is what I see in the winlogbeat log:
14T15:13:14.543713Z","uptime":"7m30.0197865s","uptime_ms":"450019786"}
2017-06-14T11:20:47-04:00 ERR Connecting error publishing events (retrying): dial tcp 10.0.10.101:5044: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
This is from winlogbeat.yml, with the understanding that it started simple, and I've added a bunch of stuff to try to get it working:
From that box, I can ping the ELK server, telnet to port 5044. There's no firewall blocking connectivity. Can anyone help. I'll post whatever else you might require to help me.
The last two lines are filebeat connections from a couple of machines (.
My configuration is from my ELK 2.x instance (which worked great, btw), and is broken into three files - one each for input, filtering, and output. The filtering config is a bit longish, so I posted them all here: https://pastebin.com/zPSyCkX8 . Hope it's not a huge pita.
That all looks normal. I think I would do a tcpdump on the Logstash host to see what's sent from the Windows host. Then take a look at the pcap file with Wireshark.
sudo tcpdump -i eth0 -w mycap.pcap host <windows-ip> and port 5044
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.