I have set up packetbeat on a single client workstation alongside winlogbeat. When running packetbeat it doesn't seem to send the data through to my logstash server. These are the errors I get:
- ERR Failed to publish events caused by: read tcp 10.112.70.96:57164->10.112.7.76:5044: wsarecv: An existing connection was forcibly closed by the remote host.
- ERR Connecting error publishing events (retrying): dial tcp 10.112.7.76:5044: connectex: No connection could be made because the target machine actively refused it.
Winlogbeat has started to show the same error l but its events seem to be written OK to elasticsearch.
This is my logstash config:
input {
beats {
port => 5044
}
}filter {
if [event_id] > 0 {
translate{
dictionary => [
"4624", "Successful Logon",
"4625", "Failed Logon",
"4648", "A logon was attempted using explicit credentials",
"4720", "A user account was created",
"4722", "A user account was enabled",
"4723", "An attempt was made to change an account's password",
"4724", "An attempt was made to reset an accounts password",
"4725", "A user account was disabled",
"4726", "A user account was deleted",
"4738", "A user account was changed",
"4740", "A user account was locked out",
"4767", "A user account was unlocked",
"4781", "The name of an account was changed",
"4782", "The password hash an account was accessed"
]
field => "event_id"
destination => "Event_Translation"
}
}
}output {
elasticsearch {
hosts => "ABZELK02:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM}"
document_type => "%{[@metadata][type]}"
}
}
Here is my Packetbeat config file:
packetbeat.interfaces.device: 1
packetbeat.flows:
timeout: 30s
period: 10s
packetbeat.protocols.icmp:
enabled: truepacketbeat.protocols.amqp:
ports: [5672]packetbeat.protocols.cassandra:
ports: [9042]packetbeat.protocols.dns:
ports: [53]include_authorities: true
include_additionals: truepacketbeat.protocols.http:
ports: [80, 8080, 8000, 5000, 8002]packetbeat.protocols.memcache:
ports: [11211]packetbeat.protocols.mysql:
ports: [3306]packetbeat.protocols.pgsql:
ports: [5432]packetbeat.protocols.redis:
ports: [6379]packetbeat.protocols.thrift:
ports: [9090]packetbeat.protocols.mongodb:
ports: [27017]packetbeat.protocols.nfs:
ports: [2049]tags: ["PacketBeat-Test"]
output.logstash:
hosts: ["10.112.7.76:5044"]