All,
Recently I've configured my first ELK server. It's capturing it's own logs fine. I want to use winlogbeat to send logs from my windows servers to my ELK server. Maybe i've missed something, but I've followed the winlogbeats documentation. When I run the configuration check it completes ok.
The issue is that logs are not populating in my kibana dashboard. What am I missing?
Here's the output I get when I run .\import_dashboards.exe -es http://ELKserverIP:9200
Error importing URL/file: Failed to import index-pattern: Failed to load directory C:\Users\ADMIN-~1\AppData\Local\Temp
7\tmp636719035\beats-dashboards-5.4.3\winlogbeat/index-pattern:
error loading C:\Users\ADMIN-~1\AppData\Local\Temp\7\tmp636719035\beats-dashboards-5.4.3\winlogbeat\index-pattern\winl
ogbeat.json: couldn't load json. Error: Put http://ELKserverIP:9200/.kibana/index-pattern/winlogbeat-*: dial tcp ELKserverIP:9200: connectex: A connection attempt failed because the connected party did not properly respond after a period
of time, or established connection failed because connected host has failed to respond.
Exiting
Seems like the Elasticsearch server is not reachable. Are you able to access http://ELKserverIP:9200 from the browser on the Winlogbeat host?
Did you change the Elasticsearch configuration to use the server's IP address rather than 127.0.0.1? (the setting is in elasticsearch.yml)
Until you make that change, Elasticsearch is only accessible from the local system. Similarly, you'll need to change the kibana.yml (and logstash.yml, if you're using it) files so that you can view Kibana from external sources, and direct winlogbeat feeds through Logstash.
from my windows server and my laptop (same network) I am now able to point a browser to http://ELKServerIP:9200
{
"name" : "syslog",
"cluster_name" : "syslog",
"cluster_uuid" : "bNHch5Y7RzqSP6JUBIyJSQ",
"version" : {
"number" : "5.4.3",
"build_hash" : "eed30a8",
"build_date" : "2017-06-22T00:34:03.743Z",
"build_snapshot" : false,
"lucene_version" : "6.5.1"
},
"tagline" : "You Know, for Search"
}
Yes, I have changed the .yml config files for kibana, elastisearch, and logstash to the servers IP. When i connect my browser to http://serverIP:5601 the kibana dashboard opens, but when I go to discover (with winlogbeat-*) as the index, it has nothing to display.
I know i'm missing something, just not sure what it is at the moment.
Are there any errors in the Winlogbeat log file? And please share your Winlogbeat config.
Below are the configs for elasticsearch, logstash kibana (installed on linux). I'm down to extremely basic configurations. Here's my winlogbeat config as well from a 2102 Windows server.
winlogbeat config
#-----Event Logs -----
winlogbeat.event_logs:
- name: Application
ignore_older: 48h
- name: Security
ignore_older: 48h
- name: System
ignore_older: 48h
- name: Windows PowerShell
ignore_older: 48h
#-----Elasticsearch Output -----
output.elasticsearch:
hosts:
- 10.240.1.130:9200
logging.to_files: true
logging.files:
path: C:/ProgramData/winlogbeat/Logs
logging.level: info
#-----Logstash output -----
output.logstash:
hosts: ["10.240.1.130:5044"]
Kibana config
server.host: "10.240.1.130"
server.name: "bones"
elasticsearch.url: "http://10.240.1.130:9200"
Elasticsearch config
cluster.name: syslog
node.name: syslog
network.host: 10.240.1.130
http.port: 9200
Logstash config
node.name: syslog
http.host: "10.240.1.130"
Here's a small amount of errors in the winlogbeat log:
2017-07-06T21:11:55-05:00 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2017-07-07T02:11:55.5682649Z","start_time":"2017-07-06T01:14:26.467413Z","uptime":"24h57m29.1008519s","uptime_ms":"89849100851"}
2017-07-06T21:12:25-05:00 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2017-07-07T02:12:25.5669758Z","start_time":"2017-07-06T01:14:26.467413Z","uptime":"24h57m59.0995628s","uptime_ms":"89879099562"}
2017-07-06T21:12:48-05:00 ERR Connecting error publishing events (retrying): dial tcp 10.240.1.130:5044: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2017-07-06T21:12:55-05:00 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2017-07-07T02:12:55.567702Z","start_time":"2017-07-06T01:14:26.467413Z","uptime":"24h58m29.100289s","uptime_ms":"89909100289"}
2017-07-06T21:13:25-05:00 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2017-07-07T02:13:25.5674082Z","start_time":"2017-07-06T01:14:26.467413Z","uptime":"24h58m59.0999952s","uptime_ms":"89939099995"}
2017-07-06T21:13:55-05:00 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2017-07-07T02:13:55.5671391Z","start_time":"2017-07-06T01:14:26.467413Z","uptime":"24h59m29.0997261s","uptime_ms":"89969099726"}
2017-07-06T21:14:09-05:00 ERR Connecting error publishing events (retrying): dial tcp 10.240.1.130:5044: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2017-07-06T21:14:25-05:00 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2017-07-07T02:14:25.5668625Z","start_time":"2017-07-06T01:14:26.467413Z","uptime":"24h59m59.0994495s","uptime_ms":"89999099449"}
Are you wanting to send the event logs to Logstash or Elasticsearch? You have both outputs enabled so it is trying to deliver the event logs to both Logstash (which it cannot connect to) and to Elasticsearch. It will wait for Logstash to become available before continuing to read events so none of the outputs will receive events if any one of the outputs is unavailable.
Assuming you want to send directly to Elasticsearch (recommended when getting started), remove the Logstash output from the config and restart.
Thanks Andrew that resolved the issue! Sorry for my confusion...I'm brand new to the ELK stack. I actually came across it in a linux training class.
My server logs are now displayed in kibana. Now I need to figure out how to set up some dashboards and get other servers added. Haven't even looked at setting up dashboards yet...
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.