Cant send sysmon logs via logstash output to apache nifi

roie · December 18, 2022, 9:58am

hi . im trying to send sysmon logs via logstash and there is no data getin ,
these are my logs error:
{"log.level":"error","@timestamp":"2022-12-18T08:15:16.318Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.21:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:19.866Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.22:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:24.100Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.21:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:24.366Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: read tcp 172.20.0.23:50539->172.20.0.20:5000: wsarecv: An established connection was aborted by the software in your host machine.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:24.439Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:26.203Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":176},"message":"failed to publish events: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:31.552Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.22:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:38.831Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.21:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:38.908Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: read tcp 172.20.0.23:50545->172.20.0.20:5000: wsarecv: An established connection was aborted by the software in your host machine.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:38.913Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:40.305Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":176},"message":"failed to publish events: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:47.481Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.22:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:47.590Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: read tcp 172.20.0.23:50547->172.20.0.20:5000: wsarecv: An established connection was aborted by the software in your host machine.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:47.610Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:15:49.470Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":176},"message":"failed to publish events: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:16:07.248Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.22:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:16:22.950Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.21:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:16:42.462Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.22:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:17:15.433Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.21:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:17:49.065Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.22:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:18:42.176Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.21:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:19:43.458Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.22:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:19:43.537Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: read tcp 172.20.0.23:50582->172.20.0.20:5000: wsarecv: An established connection was aborted by the software in your host machine.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:19:43.548Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:19:45.126Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":176},"message":"failed to publish events: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:20:21.260Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.22:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:20:21.341Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: read tcp 172.20.0.23:50587->172.20.0.20:5000: wsarecv: An established connection was aborted by the software in your host machine.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:20:21.346Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:20:22.678Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":176},"message":"failed to publish events: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:20:58.525Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.21:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:20:58.603Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: read tcp 172.20.0.23:50594->172.20.0.20:5000: wsarecv: An established connection was aborted by the software in your host machine.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:20:58.618Z","log.logger":"logstash","log.origin":{"file.name":"logstash/async.go","file.line":280},"message":"Failed to publish events caused by: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:20:59.923Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":176},"message":"failed to publish events: client is not connected","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-18T08:21:42.773Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to failover(backoff(async(tcp://ameli-hafia:5000)),backoff(async(tcp://ameli-hafifa2:5000)),backoff(async(tcp://ameli-hafifa3:5000))): dial tcp 172.20.0.21:5000: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-12-

Rios · December 18, 2022, 10:13am

Is a firewall active and opened the port 5000 on the host .21?

roie · December 18, 2022, 10:26am

hi , you want me to send you my winlogbeat.yml configuration? there is no firewall active or open port

roie · December 18, 2022, 10:32am

hi , you want me to send you my winlogbeat configuration?

‫בתאריך יום א׳, 18 בדצמ׳ 2022 ב-2:23 מאת ‪Rios via Discuss the Elastic Stack‬‏ <‪notifications@elastic.discoursemail.com‬‏>:‬

leandrojmp · December 18, 2022, 12:49pm

You need to share your configs, both your winlogbeat.yml and your logstash pipeline.

Also, please format your post using the preformatted text, the </> button, it is pretty hard to read the log you shared without the proper formatting, always share configs and logs using that option.

From what you shared you have a network error, your winlogbeat can not access the configured output, you need to troubleshot this to find what is the issue.

roie · December 19, 2022, 8:32am

can you send me your mail that i will send you my winlogbeat.yml config?

leandrojmp · December 19, 2022, 12:00pm

I cannot, share the files here in the topic so more people can see it and maybe help you solve your issue.

system · January 16, 2023, 12:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.