INFO Connecting error publishing events (retrying): 403 Forbidden?

Hi There,

I have installed winlogbeat 5.0-alpha5 on my server 2003 64bit running cas role for exchange 2007. I'm install already but when I start the service I got message from winlogbeat said:

2016-09-14T17:14:08+07:00 INFO Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\Program Files\winlogbeat\logs]
2016-09-14T17:14:08+07:00 INFO Setup Beat: winlogbeat; Version: 5.0.0-alpha5
2016-09-14T17:14:08+07:00 INFO Loading template enabled. Reading template file: C:\Program Files\winlogbeat/winlogbeat.template.json
2016-09-14T17:14:08+07:00 INFO Loading template enabled for Elasticsearch 2.x. Reading template file: C:\Program Files\winlogbeat/winlogbeat.template-es2x.json
2016-09-14T17:14:08+07:00 INFO Elasticsearch url: http://elk:9200
2016-09-14T17:14:08+07:00 INFO Activated elasticsearch as output plugin.
2016-09-14T17:14:08+07:00 INFO Publisher name: CAS
2016-09-14T17:14:08+07:00 INFO Flush Interval set to: 1s
2016-09-14T17:14:08+07:00 INFO Max Bulk Size set to: 50
2016-09-14T17:14:08+07:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat.winlogbeat.yml
2016-09-14T17:14:08+07:00 INFO winlogbeat start running.
2016-09-14T17:14:08+07:00 INFO EventLogging[System] contains 82061 records. Record number range [835561, 917621]. Starting at 835561 (ignoringFirst=false)
2016-09-14T17:14:08+07:00 INFO EventLogging[Security] contains 59910 records. Record number range [126180111, 126240020]. Starting at 126180111 (ignoringFirst=false)
2016-09-14T17:14:08+07:00 INFO EventLogging[Application] contains 9200 records. Record number range [4049237, 4058436]. Starting at 4055031 (ignoringFirst=true)
2016-09-14T17:14:09+07:00 INFO Connecting error publishing events (retrying): 403 Forbidden
2016-09-14T17:14:10+07:00 INFO Connecting error publishing events (retrying): 403 Forbidden
2016-09-14T17:14:12+07:00 INFO Connecting error publishing events (retrying): 403 Forbidden

What is ? INFO Connecting error publishing events (retrying): 403 Forbidden
I was used this config to my server it's working but this CAS server is not working.

Please advice for my issue.
Thanks in advance.

Perhaps Winlogbeat needs to authenticate to ES? You should be able to debug this outside of Winlogbeat with curl and similar tools.

My ES is not require any authentication for testing. any servers windows 2003 and 2k8, 2k12 are working but without cas server.

The HTTP server that the beat is connecting to is returning a 403 response code. Can you try connecting to the server using the command below and see what response you get.

PS C:\> Invoke-WebRequest -URI http://elk:9200

Are you using Shield or any proxy servers in front of Elasticsearch?

I will upgrading powershell v1 to v2 and pending restart. and I will comeback again when Im finished this task with my results.

Thanks.

I think my server had a problem because I connected with curl for win the package going to my proxy! but I could access via internet explore is working not pass to proxy. I have no idea with it! I Tried to update IE, reseting any configure on IE, restart on my server but it doesn't work.

Thanks guys for your guidance. I will try to fix this my problem with my squid proxy!

This topic was automatically closed after 21 days. New replies are no longer allowed.