Problem with beats logstash plugins

orsa · July 14, 2016, 6:29pm

Hi
i have a problem with beat logstash plugin. He dosen`t send windows event log to ES.
My Schema
Winlogbeat => Logstash => ES
if i send log directly to ES - all work.

TCP packages to LS is come.

logstash 2.3.4
logstash-input-beats (2.2.9)

OS: Ubuntu 14.04

logstash config:
input {
# windows eventlog from winlogbeats
beats {
port => 5044
}
}
output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => ["1.1.1.1"]
manage_template => false
index => "%{[@metadata][type]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

orsa · July 18, 2016, 5:48pm

anybody help me? any idia?

muhamadli302 · July 21, 2016, 1:00pm

What is your Winlogbeat configuration?
Also, do you have any output from the stdout plugin?

orsa · July 21, 2016, 8:11pm

hi muhamadli302
thank for you answer.

my winlogbeat config file

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
  event_logs:
    - name: Application 
    - name: Security
    - name: System

output:
  #logstash:
          hosts: ["192.168.1.42:5044"]

logging:
  to_files: true
  files:
    path: C:/ProgramData/winlogbeat/Logs
    rotateeverybytes: 10485760 # = 10MB
  level: info

I have empty output, when i run LS with

stdout { codec => rubydebug }

but tcpdump capche packet from winlogbeat host.

orsa · July 21, 2016, 9:27pm

Miracle )))
muhamadli302 thank for idea
i forgot delete "#" before logstash )))
all work nice.