Encounter an error while startup winlogbeat

ravipemmasani · August 5, 2019, 7:26am

Hello Team,

While we are doing POC,i am getting following error when starting up WinlogBeat on remote Host.Following is my ELK stack version info.Would really appreciate your help.

Syslog-ng-3.21
ElasticSearch-7.2
Logstasch-7.2.1
Kibana-7.2.0

2019-08-05T14:37:53.190+0800 ERROR instance/beat.go:877 Exiting: error c
onnecting to Kibana: fail to get the Kibana version: HTTP GET request to http://
localhost:5601/api/status fails: fail to execute the HTTP GET request: Get http:
//localhost:5601/api/status: dial tcp [::1]:5601: connectex: No connection could
be made because the target machine actively refused it.. Response: .
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET re
quest to http://localhost:5601/api/status fails: fail to execute the HTTP GET re
quest: Get http://localhost:5601/api/status: dial tcp [::1]:5601: connectex: No
connection could be made because the target machine actively refused it.. Respon
se: .

Regards
Ravi.

ravipemmasani · August 5, 2019, 7:30am

Hello Team,

Just to add on ,ELK stack & Syslog-ng being setup on RHEL-7.5,the remote host where we installed winlogbeat running on Windows 2012.
In order to access KIbana,the URL http://localhost:5601doesn't work,it works only with IP.

Regards
Ravi.

kvch · August 5, 2019, 10:25am

The error you are getting is due to Kibana not being reachable on localhost:5601. Are you sure you configured setup.kibana.host correctly? If Winlogbeat is on a remote host (not on the same host as Kibana is), you need to change the value in this option.

ravipemmasani · August 5, 2019, 1:36pm

Hi Noémi Ványi,

Thanks for responding to my email.

Please note that iam able to access Kibana via IP only,localhost doesn't work.

Kindly refer attached for your further assessment.

Would really appreciate your help.

Regards

Ravi.

(Attachment ELK_Stack_Config.docx is missing)

kvch · August 5, 2019, 3:09pm

Are Winlogbeat and Kibana running on the same host?

Also, the attachment you have shared is not available. In the future please share everything in plaintext and format it using </> if needed.

ravipemmasani · August 6, 2019, 12:21am

Hi Noémi Ványi,

ELK Stack(Elastic Search/Log Stash/Kibana) has been running on different host from Winlogbeat.

Kindly refer attached ELK stack config & error log for your further review and advice.

Regards

Ravi.

(Attachment ELK_Stack_config1.rtf is missing)

kvch · August 6, 2019, 12:08pm

localhost is a hostname which refers to the host Winlogbeat runs on. You are seeing the error because Kibana is not running on the same machine as Winlogbeat does.
Just use the IP address of the machine which runs Kibana. Or is there another issue?

ravipemmasani · August 6, 2019, 1:17pm

Hi Noémi Ványi,

Thanks for the update.

Kindly correct me if my understanding wrong.

ELK Stack components ElasticSearch+Kibana and syslog-ng installed on host server(centralized log server) runs on Red Hat Linux.

Remote Host(client application) runs on Windows for Log collection,installed Winlogbeat only.

kibana & elasticsearch host IP-10.81.162.251

Kindly take a look winlogbeat.yml for your review.

###################### Winlogbeat Configuration Example ########################

This file is an example configuration file highlighting only the most common

options. The winlogbeat.reference.yml file from the same directory contains

all the supported options with more comments. You can use it as a reference.

ravipemmasani · August 7, 2019, 12:17am

Iam awaiting for your reply,kindly advice me at the earliest.

Regards

Ravi

system · September 4, 2019, 12:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.