Elasticsearch not receiving ForwardedEvents

mathurin68 · April 5, 2019, 4:21am

Collector on Server 2016 and ElasticStack 6.7
All events appear to be coming into the ForwardedEvents on the Collector, all that seems to work OK.

And I know it's coming through the logstash pipe because it set up my index which I have configured in conf.d.
winlogbeat-2019.14

I've got winlogbeat.yml set up like this -

winlogbeat.event_logs:
  - name: ForwardedEvents
    ignore_older: 2h
 #   event_id: 4688, 5156 
#    ignore_older: 2h
  - name: Security
    event_id: 4633, 4688, 4657, 5156
  - name: Microsoft-Windows-Powershell/Operational
    event_id: 4103, 4104
  - name: Microsoft-Windows-WMI-Activity/Operational
    event_id: 5857, 5859, 5860, 5861

The events for the local Collector are going to the elasticstack BUT I'm not getting ANY of the forwarded events or events that come INTO the Collector...

Hope that makes sense, really strange I've set up about 10 elasticstacks and never had this problem.

Appreciate any thoughts, thanks!!

mathurin68 · April 6, 2019, 6:48pm

Lack of sleep over the last few days... no idea what I was doing wrong but it's working now.

system · May 4, 2019, 8:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.