Nxlog can not connet to logstash

Elastic Stack Logstash
1

Hi,

I have problem below:

i have 02 Servers with

  • IP Ser1: 10.151.130.119 --> installed ELK
  • IP Ser2: 10.151.130.110 --> OS is Win Server 2008r2 and nxlog is installed in there

I have a file nxlog configure in Ser2 is:

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_syslog Module xm_json Module im_internal Exec $Message = to_json(); # For windows 2003 and earlier use the following:

Windows Event Log

# Uncomment im_msvistalog for Windows Vista/2008 and later Module im_msvistalog

Uncomment im_mseventlog for Windows XP/2000/2003

Module im_mseventlog

Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
Module om_tcp Host 10.151.130.119 Port 5544 Exec to_json();

<Route 1>
Path eventlog, in => out

I have a file logstash configure in Ser1 is:

input {
tcp {
port => 5544
}
}

filter {
json {
source => "message"
}

Remove redundant fields

mutate {
remove_field => [ "message","@version" ]
}

Create network tags based on IP

cidr {
add_tag => [ "ip-src-PrivateIP" ]
address => [ "%{IPV4_SRC_ADDR}" ]
network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]
}

cidr {
add_tag => [ "ip-dst-PrivateIP" ]
address => [ "%{IPV4_DST_ADDR}" ]
network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]
}

cidr {
add_tag => [ "ip-webserver" ]
address => [ "%{IPV4_SRC_ADDR}", "%{IPV4_DST_ADDR}" ]
network => [ "172.16.0.0/24" ]
}

cidr {
add_tag => [ "ip-database" ]
address => [ "%{IPV4_SRC_ADDR}", "%{IPV4_DST_ADDR}" ]
network => [ "10.0.0.0/24" ]
}

cidr {
add_tag => [ "ip-workstation" ]
address => [ "%{IPV4_SRC_ADDR}", "%{IPV4_DST_ADDR}" ]
network => [ "192.168.1.0/24" ]
}

Remove redundant fields

mutate {
remove_field => [ "message" ]
}

Create Geo info based on IP

Netflow source IP

geoip {

source => "IPV4_SRC_ADDR"
target => "src_geoip"
fields => ["country_code2", "country_name", "continent_code", "region_name", "real_region_name", "city_name", "postal_code", "timezone", "location"]
}

Netflow destination IP

geoip {
    source => "IPV4_DST_ADDR"
    target => "dst_geoip"
    fields => ["country_code2", "country_name", "continent_code", "region_name", "real_region_name", "city_name", "postal_code", "timezone", "location"]
}

}

output {
stdout {
codec => rubydebug
}

And i have trouble is:

  • When i use Kibana and tab Discover which to show data --> result is No result found
  • when I check Kibana 's Status --> report is ok ( STATUS GREEN ) but check textbox LOAD --> database = 0 ( don't hava other databases are transfered)
  • When i check log on file nxlog.log --> i have report --> ERROR couldn't connect to tcp socket on 10.151.130.119:5544; No connection could be made because the target machine actively refused it.

I don't know where is my mistake in there?

Pls, help me to resolve my trouble

2

Is 10.151.130.119 really the machine where Logstash runs? Is Logstash actually listening on port 5544? Can you connect to that port from the same machine? Could there be a firewall blocking the access?