[HELP] Cannot receive data from winlogbeat on Windows Server 2012 R2

lachezar.uzunov · January 4, 2021, 12:39pm

Hello everyone, I am struggling at receiving logs from winlogbeat on Windows Server 2012 R2.
Things to mention:
On Windows Server 2016+ its working completely fine.
On Windows 10 PC (Pro/Home) is working completely fine.
Tried installing old versions of elasticsearch + kibana but still it does not work on 2012 R2

Here is my current and simple configuration (/etc/elasticsearch/elasticsearch.yml):

path.data: /var/lib/elasticsearch

path.logs: /var/log/elasticsearch

network.host: 192.168.200.169

http.port: 9200

Kibana configuration:

server.port: 5601

server.host: "192.168.200.169"

elasticsearch.url: "http://192.168.200.169:9200"

elasticsearch.ssl.verificationMode: none

Winlogbeat config:

winlogbeat.event_logs:

  - name: Application

    ignore_older: 72h

  - name: System

  - name: Security

  - name: ForwardedEvents

    tags: [forwarded]

  - name: Windows PowerShell

    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational

    event_id: 4103, 4104, 4105, 4106

setup.template.settings:

  index.number_of_shards: 1

setup.kibana:

  host: "192.168.200.169:5601"

output.elasticsearch:

  hosts: ["192.168.200.169:9200"]

  protocol: "http"

When I run winlog with the following command: ".\winlogbeat.exe -c .\winlogbeat.yml -e" it shows same logs on both 2016 and 2012 R2 servers.

Sample Logs:

2021/01/04 12:35:19.401823 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events
2021/01/04 12:35:19.417812 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events
2021/01/04 12:35:19.437800 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events
2021/01/04 12:35:19.453790 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events
2021/01/04 12:35:19.467782 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events
2021/01/04 12:35:19.487770 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events
2021/01/04 12:35:19.505759 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events
2021/01/04 12:35:19.532745 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events
2021/01/04 12:37:03.407636 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 43 events
2021/01/04 12:37:03.407636 eventlogger.go:56: INFO EventLog[System] successfully published 7 events
2021/01/04 12:37:03.416635 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 50 events
2021/01/04 12:37:03.433634 eventlogger.go:56: INFO EventLog[Security] successfully published 49 events
2021/01/04 12:37:03.433634 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 1 events
2021/01/04 12:37:03.446636 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events
2021/01/04 12:37:03.457638 eventlogger.go:56: INFO EventLog[System] successfully published 31 events
2021/01/04 12:37:03.457638 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 18 events
2021/01/04 12:37:03.458638 eventlogger.go:56: INFO EventLog[Security] successfully published 1 events
2021/01/04 12:37:03.467639 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 27 events
2021/01/04 12:37:03.467639 eventlogger.go:56: INFO EventLog[System] successfully published 23 events
2021/01/04 12:37:03.475638 eventlogger.go:56: INFO EventLog[System] successfully published 41 events
2021/01/04 12:37:03.475638 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 9 events
2021/01/04 12:37:03.502640 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 45 events
2021/01/04 12:37:03.502640 eventlogger.go:56: INFO EventLog[System] successfully published 5 events
2021/01/04 12:37:03.509640 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 50 events
2021/01/04 12:37:03.518670 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 48 events
2021/01/04 12:37:03.531641 eventlogger.go:56: INFO EventLog[Security] successfully published 47 events
2021/01/04 12:37:03.531641 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 3 events
2021/01/04 12:37:03.548643 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events
2021/01/04 12:37:03.407636 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 43 events
2021/01/04 12:37:03.407636 eventlogger.go:56: INFO EventLog[System] successfully published 7 events
2021/01/04 12:37:03.416635 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 50 events
2021/01/04 12:37:03.433634 eventlogger.go:56: INFO EventLog[Security] successfully published 49 events
2021/01/04 12:37:03.433634 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 1 events
2021/01/04 12:37:03.446636 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events
2021/01/04 12:37:03.457638 eventlogger.go:56: INFO EventLog[System] successfully published 31 events
2021/01/04 12:37:03.457638 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 18 events
2021/01/04 12:37:03.458638 eventlogger.go:56: INFO EventLog[Security] successfully published 1 events
2021/01/04 12:37:03.467639 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 27 events
2021/01/04 12:37:03.467639 eventlogger.go:56: INFO EventLog[System] successfully published 23 events
2021/01/04 12:37:03.475638 eventlogger.go:56: INFO EventLog[System] successfully published 41 events
2021/01/04 12:37:03.475638 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 9 events
2021/01/04 12:37:03.502640 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 45 events
2021/01/04 12:37:03.502640 eventlogger.go:56: INFO EventLog[System] successfully published 5 events
2021/01/04 12:37:03.509640 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 50 events
2021/01/04 12:37:03.518670 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 48 events
2021/01/04 12:37:03.531641 eventlogger.go:56: INFO EventLog[Security] successfully published 47 events
2021/01/04 12:37:03.531641 eventlogger.go:56: INFO EventLog[Windows PowerShell] successfully published 3 events
2021/01/04 12:37:03.548643 eventlogger.go:56: INFO EventLog[Security] successfully published 50 events

andrewkroh · January 4, 2021, 3:31pm

Based on those logs it appears to be working properly. Try querying without any time range and then check to see what agents are reporting data. Use the Kibana dev tools to run this. It will return each agent and number of total events.

GET winlogbeat-*/_search
{
  "aggs": {
    "agent_id": {
      "terms": {
        "field": "agent.id",
        "size": 10
      },
      "aggs": {
        "agent_name": {
          "terms": {
            "field": "agent.name",
            "size": 10
          }
        }
      }
    }
  },
  "size": 0
}

lachezar.uzunov · January 5, 2021, 6:53am

I ran the following request and the response I get is:

{
  "took": 25,
  "timed_out": false,
  "_shards": {
    "total": 362,
    "successful": 362,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 1182993,
    "max_score": 0,
    "hits": []
  },
  "aggregations": {
    "agent_id": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": []
    }
  }
}

The value of "hits" is incrementing but nothing is visualized.

lachezar.uzunov · January 5, 2021, 7:00am

When i run with only this request:

GET winlogbeat-*/_search

I can see in details what logs came to me, but still nothing in discover tab.

andrewkroh · January 5, 2021, 5:42pm

That would mean that none of your events contain the agent.id field which is a standard part of all events from Beats. Can you run the same query I posted, but with a non-zero size value so that I can see a few of the raw events. What versions of Winlogbeat and Elasticsearch are you running?

BTW that's a lot of shards for only 1.1M events. Maybe you are not using ILM to manage the indices.

lachezar.uzunov · January 7, 2021, 6:59am

Thank you for replying, I found the issue and it was the timestamp. The very first time i setup my winlogbeat i used windows 10, and so the auto timestamp was initialized. All i needed is to change the timestamp to the current format: YYYY-MM-DDTHH:mm:ss.SSSZ
Now its okay.

system · February 4, 2021, 8:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.