Error sending logs - Failed to publish events caused by: EOF

reeno · February 15, 2017, 10:56am

Hi,

Seems a few people have this issue and different things resolve for different users - I have read a lot of topics and tried many things but I am still unable to get my windows eventlogs to elsaticsearh. Note I am very new to this so hopefully it is just something simple I have done wrong.

Note I have Filebeat running on two Ubuntu servers and the data from them is visible in Kibana.

The winlogbeat file in C:\ProgramData\winlogbeat\Logs shows:

2017-02-15T21:34:54+11:00 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_errors=1 libbeat.logstash.published_but_not_acked_events=1 libbeat.logstash.call_count.PublishEvents=1 libbeat.logstash.publish.write_bytes=645
2017-02-15T21:35:24+11:00 INFO No non-zero metrics in the last 30s
2017-02-15T21:35:30+11:00 DBG  connect
2017-02-15T21:35:30+11:00 DBG  Try to publish 1 events to logstash with window size 1
2017-02-15T21:35:30+11:00 DBG  handle error: EOF
2017-02-15T21:35:30+11:00 DBG  closing
2017-02-15T21:35:30+11:00 DBG  0 events out of 1 events sent to logstash. Continue sending
2017-02-15T21:35:30+11:00 DBG  close connection
2017-02-15T21:35:30+11:00 ERR Failed to publish events caused by: EOF
2017-02-15T21:35:30+11:00 INFO Error publishing events (retrying): EOF
2017-02-15T21:35:30+11:00 DBG  close connection
2017-02-15T21:35:30+11:00 DBG  send fail

My Winlogbeat.yml file is:

winlogbeat.event_logs:
   - name: Security
     ignore_older: 2h
     event_id: 4727, 4731, 4754, 4726

output.logstash:
  hosts: ["192.168.0.222:5044"]
  bulk_max_size: 1024
  index: winlogbeat

  sls:
    certificate_authorities: ["C:/ProgramData/winlogbeat/logstash-forwarder.crt"]

logging.to_files: true
logging.files:
  path: C:/ProgramData/winlogbeat/Logs
logging.level: debug

I am a bit confused on what config file I should have running on the logstash server I do have /etc/logstash/conf.d/02-beats-input.conf which contains:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

Any help to get my windows eventlogs showing in kibana will be much appreciated and let me know if I need to provide any more info/logs.

andrewkroh · February 15, 2017, 8:54pm

Try it with ssl instead of sls.

reeno · February 16, 2017, 8:47am

Hi Andrew,

Thank you that fixed my issue - I had changed to tls as one post has said and then when I changed back to ssl I obviously stuffed up with my typing.

Event logs are rolling in now - cheers for your speedy reply.

system · March 16, 2017, 8:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.