Can't send winlogbeat data to logstash

Minh_Ti_n_Tr_n · September 17, 2021, 1:50pm

Hi all,
I now do the ELK lab with docker
The repo: https://github.com/deviantony/docker-elk/
ELK stack host IP: 192.168.87.52

My logstash/pipeline/logstash.conf

input {
        beats {
                port => 5044
        }

        tcp {
                port => 5000
        }
}

## Add your filters / logstash plugins configuration here

output {
        elasticsearch {
                hosts => "elasticsearch:9200"
                user => "elastic"
                password => "changeme"
                ecs_compatibility => disabled
        }

        elasticsearch {
                hosts => "192.168.87.47:9200" ## this is Security Onion host
                user => "so_elastic"
                password => "nFHrqKrQZV0aRSJYKjf4"
                ecs_compatibility => disabled
        }
}

My winlogbeat.yml - OSS 7.13.4


# ======================== Winlogbeat specific options =========================
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: ForwardedEvents
    tags: [forwarded]

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

# ====================== Elasticsearch template settings =======================

#setup.template.settings:
  #index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================

# ================================= Dashboards =================================

# =================================== Kibana ===================================

# =============================== Elastic Cloud ================================

# ================================== Outputs ===================================

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.87.52:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

# ================================== Logging ===================================

# ============================= X-Pack Monitoring ==============================

# ============================== Instrumentation ===============================

# ================================= Migration ==================================

Test config:

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -e
2021-09-17T20:45:28.065+0700    INFO    instance/beat.go:665    Home path: [C:\Program Files\Winlogbeat] Config path: [C:\Program Files\Winlogbeat] Data path: [C:\Program Files\Winlogbeat\data] Logs path: [C:\Program Files\Winlogbeat\logs]
2021-09-17T20:45:28.067+0700    INFO    instance/beat.go:673    Beat ID: fd01bf44-dadb-447c-b753-4ce8885a2a37
2021-09-17T20:45:28.157+0700    INFO    [beat]  instance/beat.go:1014   Beat info       {"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Winlogbeat", "data": "C:\\Program Files\\Winlogbeat\\data", "home": "C:\\Program Files\\Winlogbeat", "logs": "C:\\Program Files\\Winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "fd01bf44-dadb-447c-b753-4ce8885a2a37"}}}
2021-09-17T20:45:28.157+0700    INFO    [beat]  instance/beat.go:1023   Build info      {"system_info": {"build": {"commit": "1907c246c8b0d23ae4027699c44bf3fbef57f4a4", "libbeat": "7.13.4", "time": "2021-07-14T18:02:43.000Z", "version": "7.13.4"}}}
2021-09-17T20:45:28.157+0700    INFO    [beat]  instance/beat.go:1026   Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":12,"version":"go1.15.14"}}}
2021-09-17T20:45:28.206+0700    INFO    [beat]  instance/beat.go:1030   Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-09-09T10:20:55.72+07:00","name":"3THHP13","ip":["10.23.0.161/32","fe80::21e9:916f:b743:dacd/64","169.254.218.205/16","fe80::7949:d2fe:7c06:457c/64","172.168.1.1/24","fe80::4082:1646:773:d35f/64","169.254.211.95/16","fe80::89c9:a92:821b:bed0/64","169.254.190.208/16","192.168.0.2/24","fe80::c4ea:4257:cc42:c8b1/64","169.254.200.177/16","::1/128","127.0.0.1/8"],"kernel_version":"10.0.19041.1165 (WinBuild.160101.0800)","mac":["02:50:41:00:00:01","34:48:ed:1e:ca:c2","0a:00:27:00:00:13","24:41:8c:c0:99:4c","26:41:8c:c0:99:4b","24:41:8c:c0:99:4b","24:41:8c:c0:99:4f"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"19043.1165"},"timezone":"+07","timezone_offset_sec":25200,"id":"ffc1b065-0761-4fea-8323-2f9644354cb7"}}}
2021-09-17T20:45:28.207+0700    INFO    [beat]  instance/beat.go:1059   Process info    {"system_info": {"process": {"cwd": "C:\\Program Files\\Winlogbeat", "exe": "C:\\Program Files\\Winlogbeat\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 19448, "ppid": 2300, "start_time": "2021-09-17T20:45:27.833+0700"}}}
2021-09-17T20:45:28.208+0700    INFO    instance/beat.go:309    Setup Beat: winlogbeat; Version: 7.13.4
2021-09-17T20:45:28.209+0700    INFO    [publisher]     pipeline/module.go:113  Beat name: 3THHP13
2021-09-17T20:45:28.211+0700    INFO    beater/winlogbeat.go:69 State will be read from and persisted to C:\Program Files\Winlogbeat\data\.winlogbeat.yml
Config OK

But when I try the setup:

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe setup
Exiting: Index management requested but the Elasticsearch output is not configured/enabled
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe setup -e
2021-09-17T20:46:22.964+0700    INFO    instance/beat.go:665    Home path: [C:\Program Files\Winlogbeat] Config path: [C:\Program Files\Winlogbeat] Data path: [C:\Program Files\Winlogbeat\data] Logs path: [C:\Program Files\Winlogbeat\logs]
2021-09-17T20:46:22.965+0700    INFO    instance/beat.go:673    Beat ID: fd01bf44-dadb-447c-b753-4ce8885a2a37
2021-09-17T20:46:23.048+0700    INFO    [beat]  instance/beat.go:1014   Beat info       {"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Winlogbeat", "data": "C:\\Program Files\\Winlogbeat\\data", "home": "C:\\Program Files\\Winlogbeat", "logs": "C:\\Program Files\\Winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "fd01bf44-dadb-447c-b753-4ce8885a2a37"}}}
2021-09-17T20:46:23.048+0700    INFO    [beat]  instance/beat.go:1023   Build info      {"system_info": {"build": {"commit": "1907c246c8b0d23ae4027699c44bf3fbef57f4a4", "libbeat": "7.13.4", "time": "2021-07-14T18:02:43.000Z", "version": "7.13.4"}}}
2021-09-17T20:46:23.048+0700    INFO    [beat]  instance/beat.go:1026   Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":12,"version":"go1.15.14"}}}
2021-09-17T20:46:23.103+0700    INFO    [beat]  instance/beat.go:1030   Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-09-09T10:20:55.72+07:00","name":"3THHP13","ip":["10.23.0.161/32","fe80::21e9:916f:b743:dacd/64","169.254.218.205/16","fe80::7949:d2fe:7c06:457c/64","172.168.1.1/24","fe80::4082:1646:773:d35f/64","169.254.211.95/16","fe80::89c9:a92:821b:bed0/64","169.254.190.208/16","192.168.0.2/24","fe80::c4ea:4257:cc42:c8b1/64","169.254.200.177/16","::1/128","127.0.0.1/8"],"kernel_version":"10.0.19041.1165 (WinBuild.160101.0800)","mac":["02:50:41:00:00:01","34:48:ed:1e:ca:c2","0a:00:27:00:00:13","24:41:8c:c0:99:4c","26:41:8c:c0:99:4b","24:41:8c:c0:99:4b","24:41:8c:c0:99:4f"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"19043.1165"},"timezone":"+07","timezone_offset_sec":25200,"id":"ffc1b065-0761-4fea-8323-2f9644354cb7"}}}
2021-09-17T20:46:23.103+0700    INFO    [beat]  instance/beat.go:1059   Process info    {"system_info": {"process": {"cwd": "C:\\Program Files\\Winlogbeat", "exe": "C:\\Program Files\\Winlogbeat\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 21836, "ppid": 2300, "start_time": "2021-09-17T20:46:22.769+0700"}}}
2021-09-17T20:46:23.105+0700    INFO    instance/beat.go:309    Setup Beat: winlogbeat; Version: 7.13.4
2021-09-17T20:46:23.105+0700    INFO    [publisher]     pipeline/module.go:113  Beat name: 3THHP13
2021-09-17T20:46:23.108+0700    INFO    beater/winlogbeat.go:69 State will be read from and persisted to C:\Program Files\Winlogbeat\data\.winlogbeat.yml
2021-09-17T20:46:23.109+0700    ERROR   instance/beat.go:989    Exiting: Index management requested but the Elasticsearch output is not configured/enabled
Exiting: Index management requested but the Elasticsearch output is not configured/enabled

Please help me to fix this problem.
Thanks & Regards

Iker · September 18, 2021, 6:47pm

The argument "setup" in Winlogbeat, creates the visualizations, index templates, and other resources in the Elastic Cluster and Kibana, so, it requires direct communication with the Cluster, since you are using Logstash as the output, the setup command is unable to proceed.

Winlogbeat quick start: installation and configuration | Winlogbeat Reference [7.14] | Elastic).

Minh_Ti_n_Tr_n · September 19, 2021, 10:51am

Thanks

My problem comes from logtash
After the first time I use elasticsearch output for create index and visual and then switch to logstash, in my pipeline I did not config for the right index so it can't run

I changed to


output {
        elasticsearch {
                hosts => "elasticsearch:9200"
                user => "elastic"
                password => "changeme"
                ecs_compatibility => disabled
                index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
        }

system · October 17, 2021, 10:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.