ELK on Windows Server 2016 with Filebeat on Windows 10 client - problems

Elastic Stack Beats
1

Hello,

I've setup ELK 7.4.2 on Windows Server 2016, with some of these references:


http://robwillis.info/2019/05/installing-elk-7-elasticsearch-logstash-and-kibana-windows-server-2016/

and I've setup Filebeat on my Windows 10 client machine.
It looks like all the installations are fine, and I'm able to start all services.
But no data seems to be inserted into Elasticsearch. I'm not sure what's going wrong.

On the server machine:

  1. When I enter this in a browser:
    http://localhost:9200/

I see the details correctly.

  1. And on this:
    http://localhost:9200/_cat/indices

I see these indexes:
green open .kibana_task_manager_1 MNLTzyjNQk2_DBwLbLAUjQ 1 0 2 0 13.3kb 13.3kb
green open kibana_sample_data_ecommerce MD4yCUShR4KJi0qzrWo1lQ 1 0 4675 0 4.4mb 4.4mb
green open .apm-agent-configuration bqpM6GzVS7mJJNtxbWrVvg 1 0 0 0 283b 283b
green open .kibana_1 9S6hqlJnS2KxsKPYh1viyw 1 0 74 7 954.3kb 954.3kb

  1. On viewing Kibana, in the browser:
    http://127.0.0.1:5601/ and then selecting "Index Patterns", I see only

kibana_sample_data_ecommerce

and I don't see anything related to filebeat*

On the Client machine:

  1. Filebeat is installed and configured correctly.
    I've enabled logstash output with the correct IP and port address.

What could be wrong? I should be able to see the indices getting created and then be able to query for data.

Thanks,
Jy

2

Could you please share you configuration formatted using </> and the debug logs of Filebeat?

3

Yes, actually I have another discussion thread in the "Elasticsearch" forum on the same topic. I've posted the configurations there. Please check:

4

Anyway, here again:

  1. Filebeat:

<
filebeat.inputs:

  • type: log
    enabled: true
    paths:
  • C:\ProgramData\DiagramOne\STool\Trace*

output.logstash:
hosts: ["MyserverIP:5044"]
bulk_max_size: 1024

/>

These are the only things I've changed.

5

And for Logstash on the Server:
The logstash.conf file contains:
<
input {
beats {
port => 5044
type => "log"
}
}

output {
elasticsearch {
hosts => "http://localhost:9200"
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
/>

6

And maybe loading the templates manually is required? I'm still checking this:

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-template.html

7

Hi,

I'm actually trying this now:
Load the index template in Elasticsearch:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-template.html
and I get these errors in the log file.

'''
2019-11-28T15:44:23.248+0530 INFO [publisher] pipeline/module.go:97 Beat name: Something
2019-11-28T15:44:23.250+0530 INFO elasticsearch/client.go:170 Elasticsearch url: http://192.168.103.84:9200
2019-11-28T15:44:25.269+0530 ERROR elasticsearch/elasticsearch.go:260 Error connecting to Elasticsearch at http://192.168.103.84:9200: Get http://192.168.103.84:9200: dial tcp 192.168.103.84:9200: connectex: No connection could be made because the target machine actively refused it.
2019-11-28T15:44:25.269+0530 ERROR instance/beat.go:878 Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch http://192.168.103.84:9200: Get http://192.168.103.84:9200: dial tcp 192.168.103.84:9200: connectex: No connection could be made because the target machine actively refused it.]
'''

Please note that on the m/c where ELK is installed has the firewall disabled, and I've also added firewall rules to allow incoming to ELK. So, I'm not sure why this error occurs.

Also, I'm able to ping the ELK m/c from my client m/c.
Thanks.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.