I recently upgraded my stack to 6.2 from 5.7.1, and struggled to get Filebeat working. On my Linux hosts, I had to upgrade to Filebeat-6.2, as well as to create a new Filebeat index based on Filebeat-6.2 in my Elastic host. So, Filebeat is working on my Linux hosts.
Not so on my Windows hosts. I tried to follow the same procedure - upgraded to 6.2. However, at best, I can start the Filebeat service, only to have it die shortly thereafter. I believe this has to do with my SSL certificate, or lack thereof. If I add the following to filebeat.yml, the service errors/won't start:
ssl.certificate_authorities: ["C:\Program Files\filebeat\ELK.crt"]
Here's the entire section:
output.logstash: # The Logstash hosts hosts: ["10.0.101.101:5044"] # Optional SSL. By default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] #ssl.certificate_authorities: ["C:\Program Files\filebeat\ELK.crt"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" # Client Certificate Key #ssl.key: "C:\Program Files\filebeat\ELK.key"
This was the same directive (without the "ssl.") that I had used with the earlier version that was installed (1.3.1, iirc, or wjatever version worked with the 5.x Elastic stack). As mentioned earlier, if I remove that directive, the Filebeat service starts, but dies soon thereafter.
Can anyone help me get Filebeat working on Windows?