Not able to setup filebeat on windows server 2012 R2

babeesh · January 15, 2016, 6:34am

I am trying to setup filebeat on windows server.
filebeat version : filebeat-1.2.0-nightlylatest-windows
I will brieg the steps I did..

PS C:\Scripts\filebeat> ./install-service-filebeat.ps1
Here I got some execution policy error on PS. I put All executionpolicy unrestricted, then I was able to run that script.
Edit filebeat.yml file: Below I put my file contents..

paths:
# - /var/log/*.log
- C:\Program Files\Apache Software Foundation\Tomcat 7.0\logs*
input_type: log
document_type: apache
registry_file: "C:/ProgramData/filebeat/registry"
output:
logstash:
# The Logstash hosts
hosts: ["192.168.2.6:5044"]
Loading the Index Template in Elasticsearch : From here itself I am stuck. I use below command to do this...

PS C:\Scripts\filebeat\filebeat> Invoke-WebRequest -Method Put -InFile filebeat.template.json -Uri http://192.168.2.6:9200/_template/filebeat?pretty

And the error message is..

Invoke-WebRequest : Unable to connect to the remote server
At line:1 char:1

Invoke-WebRequest -Method Put -InFile filebeat.template.json -Uri http://192.168 ...

  + CategoryInfo          : NotSpecified: (:) [Invoke-WebRequest], WebException
  + FullyQualifiedErrorId : System.Net.WebException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

I tried to start the filebeat service :

PS C:\Scripts\filebeat\filebeat> Start-Service filebeat

But it simply goes to next line.

I setup ELK on ubuntu 14.04. And here is my logstash configuration file (logstash-filter.conf)

input {
tcp{
port => 5044
type => "logs"
}
}

filter {
if [type] == "apache" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

I don't know in which area I am wrong.

magnusbaeck · January 15, 2016, 7:13am

And the error message is..

Invoke-WebRequest : Unable to connect to the remote server

So... the service isn't running or there's a network issue preventing the connection.

PS C:\Scripts\filebeat\filebeat> Start-Service filebeat

But it simply goes to next line.

What did you expect should've happened? I haven't use Start-Service myself, but a successful start of a service shouldn't necessarily result in any output.

babeesh · January 15, 2016, 9:33am

I figure out the reason for connection error. I will make it clear soon.

What are other methods to start filebeat.?
Is there any problem with my filebeat.yml file? Because I am not getting any logs in logserver.

magnusbaeck · January 15, 2016, 9:51am

Is there any problem with my filebeat.yml file?

If you post your configuration and format it as code it will be possible to review it.

Because I am not getting any logs in logserver.

What does the Filebeat logfile say? You may need to increase the logging verbosity by starting Filebeat with (IRRC) -v -d "*".

carmelom · January 15, 2016, 12:27pm

Thank you, for you time, I sort it out.

babeesh · January 16, 2016, 4:59am

Sorry for the delay. Below is my filebeat.yml file.


paths:
# - /var/log/*.log
- C:\Program Files\Apache Software Foundation\Tomcat 7.0\logs*
input_type: log
document_type: apache
registry_file: "C:/ProgramData/filebeat/registry"
output:
logstash:
hosts: ["192.168.2.6:5044"]

And my logstash configuration file (logstash-filter.conf)

 
input { 
tcp{
port => 5044
type => "logs"
}
}
filter {

if [type] == "apache" {

grok {

match => { "message" => "%{COMBINEDAPACHELOG}" }

}

date {

match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]

}

}

}

output {

elasticsearch { hosts => ["localhost:9200"] }

stdout { codec => rubydebug }

}

babeesh · January 16, 2016, 9:52am

Finally I managed to ship logs to logserver.
Here What I did

Edit /etc/elasticsearch/elasticsearch.yml

network.host : 0.0.0.0 http.port : 9200

Thank you