Logstash eventlog

mobcdi · May 21, 2015, 12:55pm

I'm trying to get logstash to send Windows 7 64bit to elasticsearch (all local for the moment) but logstash seems to have a problem

I have ES running with kibana and marvel locally but when i start logstash it seems to have problems either reading the events log or sending it to my es.

I saw elsewhere that some use nxlog but is it possible to use the eventlog plugin https://www.elastic.co/guide/en/logstash/master/plugins-inputs-eventlog.html

logstash -f WinEventLog.conf
io/console not supported; tty will not be manipulated
May 21, 2015 1:51:58 PM org.elasticsearch.node.internal.InternalNode <init>
INFO: [logstash-cdiml64-18228-7948] version[1.5.1], pid[18228], build[5e38401/20
15-04-09T13:41:35Z]
May 21, 2015 1:51:58 PM org.elasticsearch.node.internal.InternalNode <init>
INFO: [logstash-cdiml64-18228-7948] initializing ...
May 21, 2015 1:51:58 PM org.elasticsearch.plugins.PluginsService <init>
INFO: [logstash-cdiml64-18228-7948] loaded [], sites []
←[31mWindows Event Log error: Invoke of: NextEvent
Source: SWbemEventSource
Description: Timed out

And here is my config but no index or data gets added to my cluster. I have 9200,9300 and logstash port open on the windows firewall

input {
  eventlog {
    type  => 'Win32-EventLog'
    logfile  => "System"
  }
eventlog {
    type  => 'Win32-EventLog'
    logfile  => "Application"
  }
}

output {
    elasticsearch { 
    host => "localhost" 
    cluster => "wines"
    index => "WinEventLog"     
    }
}

Any pointers on just getting a simple setup running in Windows using just ELK?

rbird · June 3, 2015, 4:05am

I'm having a similar issue. This works on my Windows 8.1 64bit laptop, but not on a Windows 2008 64bit server. The error message I'm getting is below.

{:timestamp=>"2015-06-03T15:48:00.274000+1200", :message=>"Windows Event Log error: Invoke of: NextEvent\nSource: SWbemEventSource\nDescription: Timed out \n\n[\"org.racob.com.Dispatch.invokev(Native Method)\", \"org.racob.com.Dispatch.invokev(Dispatch.java:243)\", \"org.racob.com.Dispatch.callN(Dispatch.java:187)\", \"org.jruby.ext.win32ole.RubyWIN32OLE.invokeMethodOrGet(RubyWIN32OLE.java:205)\", \"org.jruby.ext.win32ole.RubyWIN32OLE.method_missing(RubyWIN32OLE.java:113)\", \"org.jruby.ext.win32ole.RubyWIN32OLE$INVOKER$i$0$0$method_missing.call(RubyWIN32OLE$INVOKER$i$0$0$method_missing.gen)\", \"org.jruby.internal.runtime.methods.JavaMethod$JavaMethodN.call(JavaMethod.java:677)\", \"org.jruby.runtime.Helpers$MethodMissingMethod.call(Helpers.java:452)\", \"org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:210)\", \"org.jruby.runtime.callsite.CachingCallSite.callMethodMissing(CachingCallSite.java:401)\", \"org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:323)\", \"org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:170)\", \"org.jruby.ast.CallOneArgNode.interpret(CallOneArgNode.java:57)\", \"org.jruby.ast.DAsgnNode.interpret(DAsgnNode.java:110)\", \"org.jruby.ast.NewlineNode.interpret(NewlineNode.java:105)\", \"org.jruby.ast.BlockNode.interpret(BlockNode.java:71)\", \"org.jruby.evaluator.ASTInterpreter.INTERPRET_BLOCK(ASTInterpreter.java:112)\", \"org.jruby.runtime.Interpreted19Block.evalBlockBody(Interpreted19Block.java:206)\", \"org.jruby.runtime.Interpreted19Block.yield(Interpreted19Block.java:157)\", \"org.jruby.runtime.Interpreted19Block.yieldSpecific(Interpreted19Block.java:130)\", \"org.jruby.runtime.Block.yieldSpecific(Block.java:111)\", \"org.jruby.RubyKernel.loop(RubyKernel.java:1507)\", \"org.jruby.RubyKernel$INVOKER$s$0$0$loop.call(RubyKernel$INVOKER$s$0$0$loop.gen)\", \"org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:316)\", \"org.jruby.runtime.callsite.CachingCallSite.callBlock(CachingCallSite.java:145)\", \"org.jruby.runtime.callsite.CachingCallSite.callIter(CachingCallSite.java:154)\", \"org.jruby.ast.FCallNoArgBlockNode.interpret(FCallNoArgBlockNode.java:32)\", \"org.jruby.ast.NewlineNode.interpret(NewlineNode.java:105)\", \"org.jruby.ast.BlockNode.interpret(BlockNode.java:71)\", \"org.jruby.ast.RescueNode.executeBody(RescueNode.java:221)\", \"org.jruby.ast.RescueNode.interpret(RescueNode.java:116)\", \"org.jruby.ast.BeginNode.interpret(BeginNode.java:83)\", \"org.jruby.ast.NewlineNode.interpret(NewlineNode.java:105)\", \"org.jruby.ast.BlockNode.interpret(BlockNode.java:71)\", \"org.jruby.evaluator.ASTInterpreter.INTERPRET_METHOD(ASTInterpreter.java:74)\", \"org.jruby.internal.runtime.methods.InterpretedMethod.call(InterpretedMethod.java:182)\", \"org.jruby.internal.runtime.methods.DefaultMethod.call(DefaultMethod.java:203)\", \"org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:326)\", \"org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:170)\", \"org.jruby.ast.CallOneArgNode.interpret(CallOneArgNode.java:57)\", \"org.jruby.ast.NewlineNode.interpret(NewlineNode.java:105)\", \"org.jruby.ast.RescueNode.executeBody(RescueNode.java:221)\", \"org.jruby.ast.RescueNode.interpret(RescueNode.java:116)\", \"org.jruby.ast.BeginNode.interpret(BeginNode.java:83)\", \"org.jruby.ast.NewlineNode.interpret(NewlineNode.java:105)\", \"org.jruby.ast.BlockNode.interpret(BlockNode.java:71)\", \"org.jruby.ast.EnsureNode.interpret(EnsureNode.java:96)\", \"org.jruby.evaluator.ASTInterpreter.INTERPRET_METHOD(ASTInterpreter.java:74)\", \"org.jruby.internal.runtime.methods.InterpretedMethod.call(InterpretedMethod.java:182)\", \"org.jruby.internal.runtime.methods.DefaultMethod.call(DefaultMethod.java:203)\", \"org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:326)\", \"org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:170)\", \"org.jruby.ast.FCallOneArgNode.interpret(FCallOneArgNode.java:36)\", \"org.jruby.ast.NewlineNode.interpret(NewlineNode.java:105)\", \"org.jruby.evaluator.ASTInterpreter.INTERPRET_BLOCK(ASTInterpreter.java:112)\", \"org.jruby.runtime.Interpreted19Block.evalBlockBody(Interpreted19Block.java:206)\", \"org.jruby.runtime.Interpreted19Block.yield(Interpreted19Block.java:194)\", \"org.jruby.runtime.Interpreted19Block.call(Interpreted19Block.java:125)\", \"org.jruby.runtime.Block.call(Block.java:101)\", \"org.jruby.RubyProc.call(RubyProc.java:290)\", \"org.jruby.RubyProc.call(RubyProc.java:228)\", \"org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:99)\", \"java.lang.Thread.run(Unknown Source)\"]", :level=>:error}