"INFO Non-zero metrics in the last 30s" with Winlogbeat


#1

Hi !

I'm trying to send Forwarded Events logs with Winlogbeat to a Logstash instance.

Here is my winlogbeat.yml file :

winlogbeat.event_logs:
  - name: ForwardedEvents

setup.kibana:
  host: "192.168.101.119:5601"

output.logstash:
  hosts: ["192.168.101.121:5044"]

And here is my log file :

2019-01-10T13:48:22.730+0100	INFO	instance/beat.go:592	Home path: [C:\Program Files (x86)\Winlogbeat] Config path: [C:\Program Files (x86)\Winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\ProgramData\winlogbeat\logs]
2019-01-10T13:48:22.733+0100	INFO	instance/beat.go:599	Beat UUID: fd4754da-9794-45bd-9357-8f95826c7900
2019-01-10T13:48:22.733+0100	INFO	[beat]	instance/beat.go:825	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files (x86)\\Winlogbeat", "data": "C:\\ProgramData\\winlogbeat", "home": "C:\\Program Files (x86)\\Winlogbeat", "logs": "C:\\ProgramData\\winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "fd4754da-9794-45bd-9357-8f95826c7900"}}}
2019-01-10T13:48:22.744+0100	INFO	[beat]	instance/beat.go:834	Build info	{"system_info": {"build": {"commit": "bd8922f1c7e93d12b07e0b3f7d349e17107f7826", "libbeat": "6.5.4", "time": "2018-12-17T20:37:05.000Z", "version": "6.5.4"}}}
2019-01-10T13:48:22.744+0100	INFO	[beat]	instance/beat.go:837	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":2,"version":"go1.10.6"}}}
2019-01-10T13:48:22.879+0100	INFO	[beat]	instance/beat.go:841	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-01-09T14:51:16.93+01:00","name":"WIN-WEC","ip":["fe80::2c66:6d53:158e:4668/64","192.168.101.132/24","::1/128","127.0.0.1/8","fe80::5efe:c0a8:6584/128","2001:0:9d38:90d7:1c4c:236b:3f57:9a7b/64","fe80::1c4c:236b:3f57:9a7b/64"],"kernel_version":"10.0.14393.2665 (rs1_release.181203-1755)","mac":["00:50:56:97:ce:d7","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"family":"windows","platform":"windows","name":"Windows Server 2016 Standard","version":"10.0","major":10,"minor":0,"patch":0,"build":"14393.2670"},"timezone":"CET","timezone_offset_sec":3600,"id":"f658ec8a-6384-4105-9c95-022a70140521"}}}
2019-01-10T13:48:22.882+0100	INFO	[beat]	instance/beat.go:870	Process info	{"system_info": {"process": {"cwd": "C:\\Windows\\system32", "exe": "C:\\Program Files (x86)\\Winlogbeat\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 2620, "ppid": 568, "start_time": "2019-01-10T13:48:22.621+0100"}}}
2019-01-10T13:48:22.883+0100	INFO	instance/beat.go:278	Setup Beat: winlogbeat; Version: 6.5.4
2019-01-10T13:48:22.883+0100	INFO	[publisher]	pipeline/module.go:110	Beat name: WIN-WEC
2019-01-10T13:48:22.884+0100	INFO	beater/winlogbeat.go:68	State will be read from and persisted to C:\ProgramData\winlogbeat\.winlogbeat.yml
2019-01-10T13:48:22.884+0100	INFO	instance/beat.go:400	winlogbeat start running.
2019-01-10T13:48:22.897+0100	INFO	[monitoring]	log/log.go:117	Starting metrics logging every 30s
2019-01-10T13:48:53.159+0100	INFO	[monitoring]	log/log.go:144	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":109,"time":{"ms":125}},"total":{"ticks":140,"time":{"ms":171},"value":0},"user":{"ticks":31,"time":{"ms":46}}},"handles":{"open":193},"info":{"ephemeral_id":"1f6b0fe5-3a6b-466a-87e9-cd1eee4fd989","uptime":{"ms":30512}},"memstats":{"gc_next":4194304,"memory_alloc":1851424,"memory_total":3482824,"rss":21291008}},"libbeat":{"config":{"module":{"running":0}},"output":{"type":"logstash"},"pipeline":{"clients":1,"events":{"active":0}}},"system":{"cpu":{"cores":2}}}}}
2019-01-10T13:49:22.898+0100	INFO	[monitoring]	log/log.go:144	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":156,"time":{"ms":31}},"total":{"ticks":202,"time":{"ms":31},"value":202},"user":{"ticks":46}},"handles":{"open":193},"info":{"ephemeral_id":"1f6b0fe5-3a6b-466a-87e9-cd1eee4fd989","uptime":{"ms":60251}},"memstats":{"gc_next":4194304,"memory_alloc":1921944,"memory_total":3553344,"rss":57344}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}}}}}
2019-01-10T13:49:52.911+0100	INFO	[monitoring]	log/log.go:144	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":203,"time":{"ms":47}},"total":{"ticks":249,"time":{"ms":47},"value":249},"user":{"ticks":46}},"handles":{"open":193},"info":{"ephemeral_id":"1f6b0fe5-3a6b-466a-87e9-cd1eee4fd989","uptime":{"ms":90264}},"memstats":{"gc_next":4194304,"memory_alloc":1995144,"memory_total":3626544,"rss":-8192}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}}}}}
2019-01-10T13:50:22.916+0100	INFO	[monitoring]	log/log.go:144	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":218,"time":{"ms":15}},"total":{"ticks":280,"time":{"ms":31},"value":280},"user":{"ticks":62,"time":{"ms":16}}},"handles":{"open":193},"info":{"ephemeral_id":"1f6b0fe5-3a6b-466a-87e9-cd1eee4fd989","uptime":{"ms":120266}},"memstats":{"gc_next":4194304,"memory_alloc":2075824,"memory_total":3707224,"rss":106496}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}}}}}
2019-01-10T13:50:52.900+0100	INFO	[monitoring]	log/log.go:144	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":234,"time":{"ms":16}},"total":{"ticks":296,"time":{"ms":16},"value":296},"user":{"ticks":62}},"handles":{"open":194},"info":{"ephemeral_id":"1f6b0fe5-3a6b-466a-87e9-cd1eee4fd989","uptime":{"ms":150254}},"memstats":{"gc_next":4194304,"memory_alloc":1693296,"memory_total":3776584,"rss":12288}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}}}}}

And my Logstash configuration file :

input {
    tcp {
        port => "514"
    }
    beats {
        port => "5044"
        tags => ["beats"]
    }
}

filter {
    mutate {
        add_field => [ "real_ip", "%{host}" ]
    }
}

output {
    udp {
        host => ["192.168.101.112"] 
        port => 514
        codec => "json"
    }
    stdout {}
    kafka {
        bootstrap_servers => "192.168.101.126:9092,192.168.101.127:9092,192.168.101.125:9092"
        topic_id => "logstash"
        codec => "json"
    }
}

If I change "ForwardedEvents" with "Security" in the YAML file, it works. So the problem seems to come from this parameters.

Thank you for any help with my issue :slight_smile:


#2

Ok it was a problem with the windows subscription. It works fine.