INFO Connecting error publishing events (retrying): 403 Forbidden?

poper · September 14, 2016, 10:17am

Hi There,

I have installed winlogbeat 5.0-alpha5 on my server 2003 64bit running cas role for exchange 2007. I'm install already but when I start the service I got message from winlogbeat said:

2016-09-14T17:14:08+07:00 INFO Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\Program Files\winlogbeat\logs]
2016-09-14T17:14:08+07:00 INFO Setup Beat: winlogbeat; Version: 5.0.0-alpha5
2016-09-14T17:14:08+07:00 INFO Loading template enabled. Reading template file: C:\Program Files\winlogbeat/winlogbeat.template.json
2016-09-14T17:14:08+07:00 INFO Loading template enabled for Elasticsearch 2.x. Reading template file: C:\Program Files\winlogbeat/winlogbeat.template-es2x.json
2016-09-14T17:14:08+07:00 INFO Elasticsearch url: http://elk:9200
2016-09-14T17:14:08+07:00 INFO Activated elasticsearch as output plugin.
2016-09-14T17:14:08+07:00 INFO Publisher name: CAS
2016-09-14T17:14:08+07:00 INFO Flush Interval set to: 1s
2016-09-14T17:14:08+07:00 INFO Max Bulk Size set to: 50
2016-09-14T17:14:08+07:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat.winlogbeat.yml
2016-09-14T17:14:08+07:00 INFO winlogbeat start running.
2016-09-14T17:14:08+07:00 INFO EventLogging[System] contains 82061 records. Record number range [835561, 917621]. Starting at 835561 (ignoringFirst=false)
2016-09-14T17:14:08+07:00 INFO EventLogging[Security] contains 59910 records. Record number range [126180111, 126240020]. Starting at 126180111 (ignoringFirst=false)
2016-09-14T17:14:08+07:00 INFO EventLogging[Application] contains 9200 records. Record number range [4049237, 4058436]. Starting at 4055031 (ignoringFirst=true)
2016-09-14T17:14:09+07:00 INFO Connecting error publishing events (retrying): 403 Forbidden
2016-09-14T17:14:10+07:00 INFO Connecting error publishing events (retrying): 403 Forbidden
2016-09-14T17:14:12+07:00 INFO Connecting error publishing events (retrying): 403 Forbidden

What is ? INFO Connecting error publishing events (retrying): 403 Forbidden
I was used this config to my server it's working but this CAS server is not working.

Please advice for my issue.
Thanks in advance.

magnusbaeck · September 14, 2016, 10:43am

Perhaps Winlogbeat needs to authenticate to ES? You should be able to debug this outside of Winlogbeat with curl and similar tools.

poper · September 14, 2016, 4:16pm

My ES is not require any authentication for testing. any servers windows 2003 and 2k8, 2k12 are working but without cas server.

andrewkroh · September 14, 2016, 4:47pm

The HTTP server that the beat is connecting to is returning a 403 response code. Can you try connecting to the server using the command below and see what response you get.

PS C:\> Invoke-WebRequest -URI http://elk:9200

Are you using Shield or any proxy servers in front of Elasticsearch?

poper · September 15, 2016, 2:17am

I will upgrading powershell v1 to v2 and pending restart. and I will comeback again when Im finished this task with my results.

Thanks.

poper · September 16, 2016, 4:32am

I think my server had a problem because I connected with curl for win the package going to my proxy! but I could access via internet explore is working not pass to proxy. I have no idea with it! I Tried to update IE, reseting any configure on IE, restart on my server but it doesn't work.

Thanks guys for your guidance. I will try to fix this my problem with my squid proxy!

system · October 5, 2016, 10:17am

This topic was automatically closed after 21 days. New replies are no longer allowed.