Error between filebeat and logstash

Hello,

I have a problem to parse log from a windows sevrer 2012 with filebeat.

The logstash is in a ubuntu server. The stack work fine beacause log from other linux server arrived correctly.

I'm using ELK v6.

I think it's a problem with the ssl option on windows server because when i configure the ssl option into filebeat the filebeat service return an error when I try to launch it.

Coul'd someone help me ?

Thanks.

Can you please add filebeat configuration + logs?

Filebeat conf on windows server

What kind of log do you want ?

Can you please post text instead of pictures?

The filebeat logs, so we can have a look for error messages. See log output docs.

Also, logstash beat input configuration.

Tip: use single quotes for paths on windows. Then you don't have to deal with escaping the \ symbol.

This is the inpuet beats conf on logstash :

input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

And this is the logon windows sever:

Le service filebeat n’a pas pu démarrer en raison de l’erreur :
Le service n’a pas répondu assez vite à la demande de lancement ou de contrôle.

I can't find anything in the configuration. Please post filebeat logs. My french is pretty rusty, but given the windows error message I assume you installed filebeat as a service, but the service doesn't even start correctly due to timeout on startup. Run filebeat via filebeat.exe -e -v -d '*' -c <path>\to\filebeat.yml in a terminal. This will run filebeat in foreground and print all logs (the -d flag enables debug logging) right to your terminal.

Thanks for the trick, I have found the error... A mistake in the name of cert...

But I have 0 log into my logstash from my windows.

How I can declare my windows log into filebeat.yml ?

Filebeat is about shipping files. For Windows Event Logs use winlogbeat. It's a special beat tailored for collecting event logs.

This article gives some good details on setting up the Elastic Stack for windows event logs: http://www.ubersec.com/2017/12/03/monitoring-for-windows-event-logs-and-the-untold-story-of-proper-elk-integration/

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.