NXLog and shield on elastic cloud

Dobryak · April 13, 2016, 7:40am

Hi
I am trying to send logs from my Windows machine, using NXlog CE to Elastic Cloud, but could not authorize on endpoint, protected by shield.
When I add following record:

<Output elasticsearch>
    Module      om_http
    URL         http://my_cloud_endpoint.found.io:9200/
    ContentType application/json
    Exec        set_http_request_path(strftime($EventTime, "/nxlog-%Y%m%d/" + $SourceModuleName)); rename_field("timestamp","@timestamp"); to_json();
</Output>

I receive 401 Not authorized

When I add same URL as I use to post via cURL

<Output elasticsearch>
    Module      om_http
    URL         http://userName:password@my_cloud_endpoint.found.io:9200/
    ContentType application/json
    Exec        set_http_request_path(strftime($EventTime, "/nxlog-%Y%m%d/" + $SourceModuleName)); rename_field("timestamp","@timestamp"); to_json();
</Output>

I receive 2016-04-13 09:03:10 ERROR apr_sockaddr_info failed for userName:p; No such host is known.

Can you help me in feeding my logs to Elasticsearch?

warkolm · April 13, 2016, 7:43am

Why not use file or winlogbeat instead?

Dobryak · April 13, 2016, 7:44am

Can you work it out, please? I am very newbie to this and, looks like I am missing some really obvious points

warkolm · April 13, 2016, 7:47am

I don't know nxlog, it's been a long time since I used it, which is why I mentioned filebeat and winlogbeat.
They are built and supported by us so you will have an easier time in integrating then.

Dobryak · April 13, 2016, 7:48am

Ah, yes, I see now
Beats you mean this one: https://www.elastic.co/downloads/beats/winlogbeat
Ok, I will give it a try
Thanks for guiding

anhlqn · April 14, 2016, 4:03am

JFYI: Elasticsearch module is not a feature in nxlog CE, you must use the enterprise edition.

Dobryak · April 14, 2016, 10:24am

Thank you, I saw it

Dobryak · April 14, 2016, 7:59pm

I am trying to have several indexes - one fed by WinBeat, second on fed by FileBeat. Is it actually possible?

warkolm · April 14, 2016, 10:57pm

Yes, you need to use conditionals or variables with Logstash.

It might be a better question for the Logstash category though.

Dobryak · April 15, 2016, 5:16am

And here is a problem -- https://cloud.elastic.co does not have Logstash. Or maybe I miss something?

warkolm · April 15, 2016, 5:19am

No, you need do manage that yourself at the moment.

Dobryak · April 16, 2016, 4:51am

Ahh... It's a pity. I am seeking for solution which will allow me to show developers raw log stream, and perform analytical tasks on this stream later. It seems that elasctic cloud does not fit into this, or am I missing something again?

warkolm · April 16, 2016, 6:13am

It's not really the way the stack works, it's more around doing upfront definition to make the following analysis more efficient.