Elasticsearch not receiving ForwardedEvents

mathurin68 · April 5, 2019, 4:21am

Collector on Server 2016 and ElasticStack 6.7
All events appear to be coming into the ForwardedEvents on the Collector, all that seems to work OK.

And I know it's coming through the logstash pipe because it set up my index which I have configured in conf.d.
winlogbeat-2019.14

I've got winlogbeat.yml set up like this -

winlogbeat.event_logs:
  - name: ForwardedEvents
    ignore_older: 2h
 #   event_id: 4688, 5156 
#    ignore_older: 2h
  - name: Security
    event_id: 4633, 4688, 4657, 5156
  - name: Microsoft-Windows-Powershell/Operational
    event_id: 4103, 4104
  - name: Microsoft-Windows-WMI-Activity/Operational
    event_id: 5857, 5859, 5860, 5861

The events for the local Collector are going to the elasticstack BUT I'm not getting ANY of the forwarded events or events that come INTO the Collector...

Hope that makes sense, really strange I've set up about 10 elasticstacks and never had this problem.

Appreciate any thoughts, thanks!!

mathurin68 · April 6, 2019, 6:48pm

Lack of sleep over the last few days... no idea what I was doing wrong but it's working now.

system · May 4, 2019, 8:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat performance issue Beats winlogbeat	5	1680	August 31, 2018
Missing events from Windows Event Collector (WEC) Beats winlogbeat	1	1167	March 6, 2020
ELK 5.5 : Winlogbeats no Messages displayed form ForwardedEvents Beats winlogbeat	7	1649	August 21, 2017
Winlogbeat can't send events to Elasticsearch Beats	2	315	March 16, 2020
[WinLogBeats] Missing events from ForwardedEvents channel Beats	3	587	April 20, 2020

Elasticsearch not receiving ForwardedEvents

Related topics