Initial Configuration

Elastic Stack Beats
1

Well, everything else seems to be configured correctly from what I can tell. Now this is repeating in the winlogbeat log

2017-07-18T14:38:21-04:00 ERR Failed to publish events caused by: EOF
2017-07-18T14:38:21-04:00 INFO Error publishing events (retrying): EOF
2017-07-18T14:38:41-04:00 INFO Non-zero metrics in the last 30s: libbeat.logstash.call_count.PublishEvents=1 libbeat.logstash.publish.read_errors=1 libbeat.logstash.publish.write_bytes=677 libbeat.logstash.published_but_not_acked_events=100 uptime={"server_time":"2017-07-18T18:38:41.7852489Z","start_time":"2017-07-18T18:28:41.7216539Z","uptime":"10m0.063595s","uptime_ms":"600063595"}
2017-07-18T14:39:11-04:00 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2017-07-18T18:39:11.7846738Z","start_time":"2017-07-18T18:28:41.7216539Z","uptime":"10m30.0630199s","uptime_ms":"630063019"}

Ideas? Theres nothing else filtering traffic between the winlogbeat location and the CentOS 7 installation of ELK

2

Well, progress made, discovered the stack is misconfigured internally, just trying to find the right configuration file now. when I tail logstash.log I get the following.

{:timestamp=>"2017-07-18T11:58:15.016000-0700", :message=>"Attempted to send a bulk request to Elasticsearch configured at '["http://localhost:9200/"]', but Elasticsearch appears to be unreachable or down!", :error_message=>"Connection refused (Connection refused)", :class=>"Manticore::SocketException", :client_config=>{:hosts=>["http://localhost:9200/"], :ssl=>nil, :transport_options=>{:socket_timeout=>0, :request_timeout=>0, :proxy=>nil, :ssl=>{}}, :transport_class=>Elasticsearch::Transport::Transport::HTTP::Manticore, :logger=>nil, :tracer=>nil, :reload_connections=>false, :retry_on_failure=>false, :reload_on_failure=>false, :randomize_hosts=>false}, :level=>:error}
{:timestamp=>"2017-07-18T11:58:15.035000-0700", :message=>"Attempted to send a bulk request to Elasticsearch configured at '["http://localhost:9200/"]', but Elasticsearch appears to be unreachable or down!", :error_message=>"Connection refused (Connection refused)", :class=>"Manticore::SocketException", :client_config=>{:hosts=>["http://localhost:9200/"], :ssl=>nil, :transport_options=>{:socket_timeout=>0, :request_timeout=>0, :proxy=>nil, :ssl=>{}}, :transport_class=>Elasticsearch::Transport::Transport::HTTP::Manticore, :logger=>nil, :tracer=>nil, :reload_connections=>false, :retry_on_failure=>false, :reload_on_failure=>false, :randomize_hosts=>false}, :level=>:error}
{:timestamp=>"2017-07-18T11:58:15.036000-0700", :message=>"Attempted to send a bulk request to Elasticsearch configured at '["http://localhost:9200/"]', but Elasticsearch appears to be unreachable or down!", :error_message=>"Connection refused (Connection refused)", :class=>"Manticore::SocketException", :client_config=>{:hosts=>["http://localhost:9200/"], :ssl=>nil, :transport_options=>{:socket_timeout=>0, :request_timeout=>0, :proxy=>nil, :ssl=>{}}, :transport_class=>Elasticsearch::Transport::Transport::HTTP::Manticore, :logger=>nil, :tracer=>nil, :reload_connections=>false, :retry_on_failure=>false, :reload_on_failure=>false, :randomize_hosts=>false}, :level=>:error}

localhost needs to be swapped to an IP address, changed the .conf for input and outut in /etc/logstash/conf.d, still looking for where else it might be wrong

3

Is Elasticsearch running on same host as logstash? If not, check your Elasticsearch configuration for not binding to localhost only.