Installation of ELK on Windows help

Elastic Stack Elasticsearch
1

Hi all, need some help with Windows install. Windows Server 2022, ELK 8.12. I am trying to install everything on the 1 box.

Steps for far

Installed Elasticsearch using Elasticsearch.bat. This creates the elastic password and certs. I can then login by browsing to https://127.0.0.1:9200 and entering creds. However when trying the curl option I get the error

elk
elk946×197 44.5 KB

Logstash

I have ran logstash.bat -f logstash-simple.conf so it looks like

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["https://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    #user => "elastic"
    #password => "removed"
  }
}

On the Logstash output screen, I get the message below

LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [https://localhost:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}

what am I missing?

2

Hi insurin,

Try again the curl with option -k for ignore warning certificate. About logstash pipeline you need include in output the CACERT created in Elasticsearch installation.

3

Hi @grfneto the -k option got it work. thanks.

what am I doing wrong once I start Logstash? error below

[2022-04-13T07:58:12,246][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"https://localhost:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [https://localhost:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}

I run this command

C:\elk\logstash\bin>logstash.bat -f c:\elk\logstash\config\logstash-sample.conf

My Logstash.yml is all commented out though

logstash-sample.confs looks like this

# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["https://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    #user => "elastic"
    #password => "changeme"
  }
}
4

Hi insurin,

The log shows that Logstash is not connected to Elasticsearch. I believe because of cacert, you can configure this option in the pipeline output:

Elasticsearch output plugin | Logstash Reference [8.1] | Elastic

5

@grfneto Thank you for the pointer and the link to documentation. I have added an additional line in that points to the cert now.

# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["https://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    CACERT => /pathtomycert
    #user => "elastic"
    #password => "changeme"
  }
}

Looks like it is working. How do I confirm this.

C:\elk\logstash\bin>logstash.bat -f c:\elk\logstash\config\logstash-sample.conf
"Using bundled JDK: C:\elk\logstash\jdk\bin\java.exe"
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Sending Logstash logs to C:/elk/logstash/logs which is now configured via log4j2.properties
[2022-04-13T11:11:37,063][INFO ][logstash.runner          ] Log4j configuration path used is: C:\elk\logstash\config\log4j2.properties
[2022-04-13T11:11:37,086][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.1.2", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.14.1+1 on 11.0.14.1+1 +indy +jit [mswin32-x86_64]"}
[2022-04-13T11:11:37,102][INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
[2022-04-13T11:11:37,250][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2022-04-13T11:11:39,518][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2022-04-13T11:11:40,394][INFO ][org.reflections.Reflections] Reflections took 125 ms to scan 1 urls, producing 120 keys and 419 values
[2022-04-13T11:11:41,135][INFO ][logstash.javapipeline    ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
[2022-04-13T11:11:41,281][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["https://localhost:9200"]}
[2022-04-13T11:11:41,899][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://elastic:xxxxxx@localhost:9200/]}}
[2022-04-13T11:11:42,534][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>"https://elastic:xxxxxx@localhost:9200/"}
[2022-04-13T11:11:42,610][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch version determined (8.1.2) {:es_version=>8}
[2022-04-13T11:11:42,626][WARN ][logstash.outputs.elasticsearch][main] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
[2022-04-13T11:11:42,800][INFO ][logstash.outputs.elasticsearch][main] Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[2022-04-13T11:11:42,800][INFO ][logstash.outputs.elasticsearch][main] Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[2022-04-13T11:11:42,848][WARN ][logstash.outputs.elasticsearch][main] Elasticsearch Output configured with `ecs_compatibility => v8`, which resolved to an UNRELEASED preview of version 8.0.0 of the Elastic Common Schema. Once ECS v8 and an updated release of this plugin are publicly available, you will need to update this plugin to resolve this warning.
[2022-04-13T11:11:42,937][INFO ][logstash.outputs.elasticsearch][main] Using a default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2022-04-13T11:11:43,086][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["c:/elk/logstash/config/logstash-sample.conf"], :thread=>"#<Thread:0x7ced68d5 run>"}
[2022-04-13T11:11:43,261][INFO ][logstash.outputs.elasticsearch][main] Installing Elasticsearch template {:name=>"ecs-logstash"}
[2022-04-13T11:11:44,473][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>1.31}
[2022-04-13T11:11:44,536][INFO ][logstash.inputs.beats    ][main] Starting input listener {:address=>"0.0.0.0:5044"}
[2022-04-13T11:11:44,583][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2022-04-13T11:11:44,741][INFO ][org.logstash.beats.Server][main][746490ac88738819a51a8a9580cdfd242665021464365d8501f527bfdd525b8b] Starting server on port: 5044
[2022-04-13T11:11:44,866][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
6

Hi @insurin

looks like it worked fine, you can confirm if the beats index were created in Elasticsearch.
you can consult the API https://localhost:9200/_cat/indices or in Kibana in the discover tab.

I hope it helped you :wink:

Best Regards

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.