Error Config send log from Windows client to ELK Server Ubuntu


(tuni) #1

Hi everypeople,
I setup LAB for my room.


I has been finished setup lab. but config send log from windows 10 to ELK Ubuntu has problem.
2018-09-13T15:44:20.359+0700 ERROR pipeline/output.go:91 Failed to connect: read tcp 172.16.99.100:50581->172.16.99.101:5044: wsarecv: An existing connection was forcibly closed by the remote host.
2018-09-13T15:44:46.612+0700 INFO [monitoring] log/log.go:141 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":437,"time":{"ms":16}},"total":{"ticks":1827,"time":{"ms":47},"value":1827},"user":{"ticks":1390,"time":{"ms":31}}},"info":{"ephemeral_id":"2f4e1b0d-e296-4162-8c6e-5c9c19700b71","uptime":{"ms":390066}},"memstats":{"gc_next":32218112,"memory_alloc":16111120,"memory_total":118134544,"rss":-1171456}},"libbeat":{"config":{"module":{"running":0}},"output":{"write":{"errors":1}},"pipeline":{"clients":4,"events":{"active":4120,"retry":2048}}}}}}
2018-09-13T15:45:16.614+0700 ERROR pipeline/output.go:91 Failed to connect: write tcp 172.16.99.100:50588->172.16.99.101:5044: wsasend: An existing connection was forcibly closed by the remote host.
2018-09-13T15:45:46.615+0700 INFO [monitoring] log/log.go:141 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":468},"total":{"ticks":1858,"value":1858},"user":{"ticks":1390}},"info":{"ephemeral_id":"2f4e1b0d-e296-4162-8c6e-5c9c19700b71","uptime":{"ms":450069}},"memstats":{"gc_next":32218112,"memory_alloc":16197704,"memory_total":118221128}},"libbeat":{"config":{"module":{"running":0}},"output":{"read":{"errors":1},"write":{"bytes":142}},"pipeline":{"clients":4,"events":{"active":4120,"retry":2048}}}}}}

My config

winlogbeat.yml

winlogbeat.event_logs:

  • name: Application
    ignore_older: 72h
  • name: Security
  • name: System
  • name: Microsoft-windows-sysmon/operational
    output.logstash:

hosts: ["172.16.99.101:5044"]
ssl.certificate_authorities: ['C:\Tools\ELK\certs\logstash-forwarder.crt']

How to fixed this proplem ?
Thanks ALL !!!


(Magnus Bäck) #2

Wild guess: Winlogbeat is using SSL but Logstash isn't, or vice versa.


(tuni) #3

thank you. but I do it with cyberwardog lab. If you, you can config from winlogbeat to logstash ?


(Magnus Bäck) #4

I'm afraid I don't understand your question.


(tuni) #5

I mean. How to config winlogbeat send event log to Logstash. with Ubuntu 18.04. :frowning:


(Magnus Bäck) #6

Did you look into the suggestion I gave earlier (SSL configuration mismatch)? Have you checked the Logstash log for clues?


(tuni) #7

Thanks you. I has fixed my problem/


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.