Configuring FileBeat.yml For Windows

Elastic Stack Beats
1

Hi, I have been looking for some time on how set up configuration of filebeat.yml on a windows client to ship logs to a ubuntu host that has the elk stack installed. I have the service installed and running, but am completely unsure of where to go from here.

Thanks for the help

2

Have you tried following the Getting Started Guide for Filebeat?

3

Yes. But how do windows logs get to the directory shown in that example? Furthermore, when i un-comment the Windows path, I am unable to start the filebeat service. Error 1053

4

It is assumed that you have applications that are producing log files that you want to read. Windows itself does not use log files to record events; it reports its events to its Event Log service (this is the data you view with the Window Event Viewer). To collect data from the Event Log service you would use Winlogbeat and not Filebeat.

You need to modify Filebeat's config file to point to the location(s) of the log files you want to collect. If the locations are not valid this will cause an error and Filebeat will not start. The errors will be recorded in the Filebeat log file.

5

Alright, well. with winlogbeat... i get this:

2017-06-08T08:15:50-04:00 ERR Failed to publish events caused by: EOF
2017-06-08T08:15:50-04:00 INFO Error publishing events (retrying): EOF
2017-06-08T08:16:01-04:00 ERR Connecting error publishing events (retrying): Get http://***********:9200: dial tcp X.X.X.X:9200: connectex: No connection could be made because the target machine actively refused it.
6

The error seems to indicate that there is firewall blocking the connection.

7

It turns out, server configuration was bad. I rebuilt the server and configured things for winlogbeat. I have logs sending from a client server to the host, but nothing showing up in kibana. Where should i be looking?

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.