Issues running Filebeat on Windows

jmcinnis · April 14, 2016, 3:58am

Hi, I have a Windows 7 Client VM that I'm trying to run Filebeat on. I can run "Start-Service filebeat" without getting any errors, but when I look at the log file, it's having a connection failure. My ELK Stack is running on CentOS and I also have a CentOS Client VM which connects fine. I can post my Filebeat configuration for my CentOS client if necessary. I've added what I think are the necessary firewall exceptions and restarted the firewall and all necessary services on my ELK Server

Log output:
2016-04-13T22:05:14-04:00 ERR SSL client failed to connect with: dial tcp 10.0.2.24:5044: connectex: A socket operation was attempted to an unreachable host.

Configuration file:

filebeat:
    prospectors:
    -
      paths:
        - C:\Windows\System32\winevt\Logs\*
      #  - /var/log/*.log
      
      input_type: log
      document_type: syslog
      registry_file: "C://ProgramData//filebeat//registry"

output:
  logstash:
    hosts: ["10.0.2.24:5044"]
    bulk_max_size: 1024
    index: filebeat
    tls:
      certificate_authorities: ["C:/logstash-forwarder.crt"]
    
    path: "filebeat.template.json"
    
shipper:
logging:
  files:
    rotateeverybytes: 10485760 # = 10MB

warkolm · April 14, 2016, 4:00am

Can you telnet to the LS host from windows?

jmcinnis · April 14, 2016, 4:24am

No. I can ping the LS host, but when I try to telnet 10.0.2.24:5044 via cygwin, I get "Can't lookup hostname 10.0.2.24:5044".

magnusbaeck · April 14, 2016, 5:34am

That's because you should run telnet 10.0.2.24 5044 and not telnet 10.0.2.24:5044.

jmcinnis · April 14, 2016, 1:50pm

Ah, ok. I tried again and it works when I type in the right command

jmcinnis · April 14, 2016, 3:21pm

I edited my filebeat config file because I had some spacing errors:

filebeat:
  prospectors:
    - paths:
      - C:\Windows\System32\winevt\Logs\*
      #  - /var/log/*.log
      encoding: utf-8
      
      input_type: log
      
      document_type: syslog

  registry_file: "C://ProgramData//filebeat//registry"

output:
  logstash:
    hosts: ["10.0.2.24:5044"]
    bulk_max_size: 1024
    index: filebeat
    tls:
      certificate_authorities: ["C:/logstash-forwarder.crt"]
    
    path: "filebeat.template.json"
    
shipper:

logging:
  files:
    rotateeverybytes: 10485760 # = 10MB

I now get the following error:

2016-04-13T23:47:00-04:00 ERR SSL client failed to connect with: dial tcp 10.0.2.24:5044: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

steffens · April 15, 2016, 1:23pm

can you post your logstash input config?

Hmm...

A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Is logstash running or some firewall inbetween?

jmcinnis · April 15, 2016, 3:10pm

Here's my 02-beats-input.conf:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

10-syslog-filter:

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

30-elasticsearch-output.conf:

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

steffens · April 18, 2016, 11:02am

SSL config looks ok (given certificates are valid). Can you try to $ ping 10.0.2.24 and telnet 10.0.2.24 5044? I'd expect at least telnet not working (unresponsive), as beat is complaining about remote not responding.

jmcinnis · April 18, 2016, 1:14pm

I got it working. I switched to winlogbeat and had to convert my key from .key to .pfx (if I remember correctly). Then I had to use winscp to load the winlogbeat template to my server since Invoke-WebRequest wasn't working. Thanks for the help everyone!