Initial Configuration

Well, everything else seems to be configured correctly from what I can tell. Now this is repeating in the winlogbeat log

2017-07-18T14:38:21-04:00 ERR Failed to publish events caused by: EOF
2017-07-18T14:38:21-04:00 INFO Error publishing events (retrying): EOF
2017-07-18T14:38:41-04:00 INFO Non-zero metrics in the last 30s: libbeat.logstash.call_count.PublishEvents=1 libbeat.logstash.publish.read_errors=1 libbeat.logstash.publish.write_bytes=677 libbeat.logstash.published_but_not_acked_events=100 uptime={"server_time":"2017-07-18T18:38:41.7852489Z","start_time":"2017-07-18T18:28:41.7216539Z","uptime":"10m0.063595s","uptime_ms":"600063595"}
2017-07-18T14:39:11-04:00 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2017-07-18T18:39:11.7846738Z","start_time":"2017-07-18T18:28:41.7216539Z","uptime":"10m30.0630199s","uptime_ms":"630063019"}

Ideas? Theres nothing else filtering traffic between the winlogbeat location and the CentOS 7 installation of ELK

Well, progress made, discovered the stack is misconfigured internally, just trying to find the right configuration file now. when I tail logstash.log I get the following.

{:timestamp=>"2017-07-18T11:58:15.016000-0700", :message=>"Attempted to send a bulk request to Elasticsearch configured at '["http://localhost:9200/"]', but Elasticsearch appears to be unreachable or down!", :error_message=>"Connection refused (Connection refused)", :class=>"Manticore::SocketException", :client_config=>{:hosts=>["http://localhost:9200/"], :ssl=>nil, :transport_options=>{:socket_timeout=>0, :request_timeout=>0, :proxy=>nil, :ssl=>{}}, :transport_class=>Elasticsearch::Transport::Transport::HTTP::Manticore, :logger=>nil, :tracer=>nil, :reload_connections=>false, :retry_on_failure=>false, :reload_on_failure=>false, :randomize_hosts=>false}, :level=>:error}
{:timestamp=>"2017-07-18T11:58:15.035000-0700", :message=>"Attempted to send a bulk request to Elasticsearch configured at '["http://localhost:9200/"]', but Elasticsearch appears to be unreachable or down!", :error_message=>"Connection refused (Connection refused)", :class=>"Manticore::SocketException", :client_config=>{:hosts=>["http://localhost:9200/"], :ssl=>nil, :transport_options=>{:socket_timeout=>0, :request_timeout=>0, :proxy=>nil, :ssl=>{}}, :transport_class=>Elasticsearch::Transport::Transport::HTTP::Manticore, :logger=>nil, :tracer=>nil, :reload_connections=>false, :retry_on_failure=>false, :reload_on_failure=>false, :randomize_hosts=>false}, :level=>:error}
{:timestamp=>"2017-07-18T11:58:15.036000-0700", :message=>"Attempted to send a bulk request to Elasticsearch configured at '["http://localhost:9200/"]', but Elasticsearch appears to be unreachable or down!", :error_message=>"Connection refused (Connection refused)", :class=>"Manticore::SocketException", :client_config=>{:hosts=>["http://localhost:9200/"], :ssl=>nil, :transport_options=>{:socket_timeout=>0, :request_timeout=>0, :proxy=>nil, :ssl=>{}}, :transport_class=>Elasticsearch::Transport::Transport::HTTP::Manticore, :logger=>nil, :tracer=>nil, :reload_connections=>false, :retry_on_failure=>false, :reload_on_failure=>false, :randomize_hosts=>false}, :level=>:error}

localhost needs to be swapped to an IP address, changed the .conf for input and outut in /etc/logstash/conf.d, still looking for where else it might be wrong

Is Elasticsearch running on same host as logstash? If not, check your Elasticsearch configuration for not binding to localhost only.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.