Hi !
I'm trying to send Forwarded Events logs with Winlogbeat to a Logstash instance.
Here is my winlogbeat.yml file :
winlogbeat.event_logs:
- name: ForwardedEvents
setup.kibana:
host: "192.168.101.119:5601"
output.logstash:
hosts: ["192.168.101.121:5044"]
And here is my log file :
2019-01-10T13:48:22.730+0100 INFO instance/beat.go:592 Home path: [C:\Program Files (x86)\Winlogbeat] Config path: [C:\Program Files (x86)\Winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\ProgramData\winlogbeat\logs]
2019-01-10T13:48:22.733+0100 INFO instance/beat.go:599 Beat UUID: fd4754da-9794-45bd-9357-8f95826c7900
2019-01-10T13:48:22.733+0100 INFO [beat] instance/beat.go:825 Beat info {"system_info": {"beat": {"path": {"config": "C:\\Program Files (x86)\\Winlogbeat", "data": "C:\\ProgramData\\winlogbeat", "home": "C:\\Program Files (x86)\\Winlogbeat", "logs": "C:\\ProgramData\\winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "fd4754da-9794-45bd-9357-8f95826c7900"}}}
2019-01-10T13:48:22.744+0100 INFO [beat] instance/beat.go:834 Build info {"system_info": {"build": {"commit": "bd8922f1c7e93d12b07e0b3f7d349e17107f7826", "libbeat": "6.5.4", "time": "2018-12-17T20:37:05.000Z", "version": "6.5.4"}}}
2019-01-10T13:48:22.744+0100 INFO [beat] instance/beat.go:837 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":2,"version":"go1.10.6"}}}
2019-01-10T13:48:22.879+0100 INFO [beat] instance/beat.go:841 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-01-09T14:51:16.93+01:00","name":"WIN-WEC","ip":["fe80::2c66:6d53:158e:4668/64","192.168.101.132/24","::1/128","127.0.0.1/8","fe80::5efe:c0a8:6584/128","2001:0:9d38:90d7:1c4c:236b:3f57:9a7b/64","fe80::1c4c:236b:3f57:9a7b/64"],"kernel_version":"10.0.14393.2665 (rs1_release.181203-1755)","mac":["00:50:56:97:ce:d7","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"family":"windows","platform":"windows","name":"Windows Server 2016 Standard","version":"10.0","major":10,"minor":0,"patch":0,"build":"14393.2670"},"timezone":"CET","timezone_offset_sec":3600,"id":"f658ec8a-6384-4105-9c95-022a70140521"}}}
2019-01-10T13:48:22.882+0100 INFO [beat] instance/beat.go:870 Process info {"system_info": {"process": {"cwd": "C:\\Windows\\system32", "exe": "C:\\Program Files (x86)\\Winlogbeat\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 2620, "ppid": 568, "start_time": "2019-01-10T13:48:22.621+0100"}}}
2019-01-10T13:48:22.883+0100 INFO instance/beat.go:278 Setup Beat: winlogbeat; Version: 6.5.4
2019-01-10T13:48:22.883+0100 INFO [publisher] pipeline/module.go:110 Beat name: WIN-WEC
2019-01-10T13:48:22.884+0100 INFO beater/winlogbeat.go:68 State will be read from and persisted to C:\ProgramData\winlogbeat\.winlogbeat.yml
2019-01-10T13:48:22.884+0100 INFO instance/beat.go:400 winlogbeat start running.
2019-01-10T13:48:22.897+0100 INFO [monitoring] log/log.go:117 Starting metrics logging every 30s
2019-01-10T13:48:53.159+0100 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":109,"time":{"ms":125}},"total":{"ticks":140,"time":{"ms":171},"value":0},"user":{"ticks":31,"time":{"ms":46}}},"handles":{"open":193},"info":{"ephemeral_id":"1f6b0fe5-3a6b-466a-87e9-cd1eee4fd989","uptime":{"ms":30512}},"memstats":{"gc_next":4194304,"memory_alloc":1851424,"memory_total":3482824,"rss":21291008}},"libbeat":{"config":{"module":{"running":0}},"output":{"type":"logstash"},"pipeline":{"clients":1,"events":{"active":0}}},"system":{"cpu":{"cores":2}}}}}
2019-01-10T13:49:22.898+0100 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":156,"time":{"ms":31}},"total":{"ticks":202,"time":{"ms":31},"value":202},"user":{"ticks":46}},"handles":{"open":193},"info":{"ephemeral_id":"1f6b0fe5-3a6b-466a-87e9-cd1eee4fd989","uptime":{"ms":60251}},"memstats":{"gc_next":4194304,"memory_alloc":1921944,"memory_total":3553344,"rss":57344}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}}}}}
2019-01-10T13:49:52.911+0100 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":203,"time":{"ms":47}},"total":{"ticks":249,"time":{"ms":47},"value":249},"user":{"ticks":46}},"handles":{"open":193},"info":{"ephemeral_id":"1f6b0fe5-3a6b-466a-87e9-cd1eee4fd989","uptime":{"ms":90264}},"memstats":{"gc_next":4194304,"memory_alloc":1995144,"memory_total":3626544,"rss":-8192}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}}}}}
2019-01-10T13:50:22.916+0100 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":218,"time":{"ms":15}},"total":{"ticks":280,"time":{"ms":31},"value":280},"user":{"ticks":62,"time":{"ms":16}}},"handles":{"open":193},"info":{"ephemeral_id":"1f6b0fe5-3a6b-466a-87e9-cd1eee4fd989","uptime":{"ms":120266}},"memstats":{"gc_next":4194304,"memory_alloc":2075824,"memory_total":3707224,"rss":106496}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}}}}}
2019-01-10T13:50:52.900+0100 INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":234,"time":{"ms":16}},"total":{"ticks":296,"time":{"ms":16},"value":296},"user":{"ticks":62}},"handles":{"open":194},"info":{"ephemeral_id":"1f6b0fe5-3a6b-466a-87e9-cd1eee4fd989","uptime":{"ms":150254}},"memstats":{"gc_next":4194304,"memory_alloc":1693296,"memory_total":3776584,"rss":12288}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}}}}}
And my Logstash configuration file :
input {
tcp {
port => "514"
}
beats {
port => "5044"
tags => ["beats"]
}
}
filter {
mutate {
add_field => [ "real_ip", "%{host}" ]
}
}
output {
udp {
host => ["192.168.101.112"]
port => 514
codec => "json"
}
stdout {}
kafka {
bootstrap_servers => "192.168.101.126:9092,192.168.101.127:9092,192.168.101.125:9092"
topic_id => "logstash"
codec => "json"
}
}
If I change "ForwardedEvents" with "Security" in the YAML file, it works. So the problem seems to come from this parameters.
Thank you for any help with my issue 