Problems with winlogbeat

Hello i have install ELK Stack in version 6.2 with centos

when i want to send the logs of my windows server it goes this way at logstash service logs :

2018-02-09T10:20:40+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:40+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:40+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:41+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:41+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:41+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:42+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:42+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:42+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:43+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:43+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:43+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:44+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:44+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:44+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:45+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:45+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:45+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:46+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:46+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:46+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:47+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:47+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:47+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:48+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:48+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:49+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:50+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:50+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:50+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:51+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:51+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:51+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:52+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:52+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:52+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:53+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:53+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:53+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:54+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:54+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:54+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:55+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:55+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:55+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:56+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:56+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:56+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:57+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:57+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:57+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:58+01:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30007 beat.memstats.gc_next=33277648 beat.memstats.memory_alloc=28613136 beat.memstats.memory_total=5302610656 libbeat.config.module.running=0 libbeat.output.events.batches=54 libbeat.output.events.failed=110592 libbeat.output.events.total=110592 libbeat.output.read.bytes=162 libbeat.output.write.bytes=7769140 libbeat.pipeline.clients=3 libbeat.pipeline.events.active=4119 libbeat.pipeline.events.retry=165888 uptime={"server_time":"2018-02-09T09:20:58.621575Z","start_time":"2018-02-09T08:54:58.3298457Z","uptime":"26m0.2917293s","uptime_ms":"1560291729"}
2018-02-09T10:21:01+01:00 INFO Stopping Winlogbeat
2018-02-09T10:21:01+01:00 INFO EventLog[System] Stop processing.
2018-02-09T10:21:01+01:00 INFO EventLog[Application] Stop processing.
2018-02-09T10:21:01+01:00 INFO EventLog[Security] Stop processing.
2018-02-09T10:21:01+01:00 INFO Total non-zero values: beat.info.uptime.ms=1562846 beat.memstats.gc_next=33279568 beat.memstats.memory_alloc=25416048 beat.memstats.memory_total=5315037304 libbeat.config.module.running=0 libbeat.output.events.batches=2670 libbeat.output.events.failed=5468160 libbeat.output.events.total=5468160 libbeat.output.read.bytes=8010 libbeat.output.type=logstash libbeat.output.write.bytes=384536808 libbeat.output.write.errors=13 libbeat.pipeline.clients=0 libbeat.pipeline.events.active=4116 libbeat.pipeline.events.failed=284 libbeat.pipeline.events.published=4116 libbeat.pipeline.events.retry=8208384 libbeat.pipeline.events.total=4400 msg_file_cache.ApplicationHits=1487 msg_file_cache.ApplicationMisses=15 msg_file_cache.SecurityHits=1304 msg_file_cache.SecurityMisses=1 msg_file_cache.SystemHits=1588 msg_file_cache.SystemMisses=12 uptime={"server_time":"2018-02-09T09:21:01.3609922Z","start_time":"2018-02-09T08:54:58.3298457Z","uptime":"26m3.0311465s","uptime_ms":"1563031146"}
2018-02-09T10:21:01+01:00 INFO Uptime: 26m2.8461726s
2018-02-09T10:21:01+01:00 INFO winlogbeat stopped.

do you have any idea what this can come from
thanks for your help

What does your Logstash config look like? What does your Winlogbeat config look like?

for logstash i just changed the ip and for winlogbeat I put the logstash IP and the port

my config .cfg :

input {
beats {
port => 9600
}
}

output {
if [type] == "wineventlog" {
elasticsearch { hosts => ["http://172.20.15.80:9200"]
index => "logstash-winlogbeat-%{+YYYY.MM.dd}"
}
}
}

In recent versions of Logstash I believe port 9600 is used by Logstash, so I am not sure a Beats plugin can use this. If so, there should be something in the Logstash logs though. Can you try using a different port?

i have this right now

2018-02-12T11:15:46+01:00 INFO Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\ProgramData\winlogbeat\logs]
2018-02-12T11:15:46+01:00 INFO Beat UUID: a0a3b61a-748d-417d-ac6c-7952dd8c7ef8
2018-02-12T11:15:46+01:00 INFO Setup Beat: winlogbeat; Version: 6.1.3
2018-02-12T11:15:46+01:00 INFO Beat name: RDS4
2018-02-12T11:15:46+01:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat.winlogbeat.yml
2018-02-12T11:15:46+01:00 INFO winlogbeat start running.
2018-02-12T11:15:59+01:00 INFO Stopping Winlogbeat
2018-02-12T11:15:59+01:00 INFO EventLog[System] Stop processing.
2018-02-12T11:15:59+01:00 INFO EventLog[Application] Stop processing.
2018-02-12T11:15:59+01:00 INFO EventLog[Security] Stop processing.
2018-02-12T11:15:59+01:00 INFO Total non-zero values: beat.info.uptime.ms=12668 beat.memstats.gc_next=27438992 beat.memstats.memory_alloc=20666872 beat.memstats.memory_total=104813784 libbeat.config.module.running=0 libbeat.output.type=logstash libbeat.pipeline.clients=0 libbeat.pipeline.events.active=4116 libbeat.pipeline.events.failed=284 libbeat.pipeline.events.published=4116 libbeat.pipeline.events.total=4400 msg_file_cache.ApplicationHits=1471 msg_file_cache.ApplicationMisses=30 msg_file_cache.ApplicationSize=30 msg_file_cache.SecurityHits=1202 msg_file_cache.SecurityMisses=1 msg_file_cache.SecuritySize=1 msg_file_cache.SystemHits=1688 msg_file_cache.SystemMisses=12 msg_file_cache.SystemSize=12 uptime={"server_time":"2018-02-12T10:15:59.4108292Z","start_time":"2018-02-12T10:15:46.7432977Z","uptime":"12.6675315s","uptime_ms":"12667531"}
2018-02-12T11:15:59+01:00 INFO Uptime: 12.668133s
2018-02-12T11:15:59+01:00 INFO winlogbeat stopped.

and this

2018-02-12T11:18:38+01:00 INFO Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\ProgramData\winlogbeat\logs]
2018-02-12T11:18:38+01:00 INFO Metrics logging every 30s
2018-02-12T11:18:38+01:00 INFO Beat UUID: a0a3b61a-748d-417d-ac6c-7952dd8c7ef8
2018-02-12T11:18:38+01:00 INFO Setup Beat: winlogbeat; Version: 6.1.3
2018-02-12T11:18:38+01:00 INFO Beat name: RDS4
2018-02-12T11:18:38+01:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat.winlogbeat.yml
2018-02-12T11:18:38+01:00 INFO winlogbeat start running.
2018-02-12T11:19:01+01:00 ERR Failed to connect: dial tcp 172.20.15.80:9800: connectex: Une tentative de connexion a échoué car le parti connecté n’a pas répondu convenablement au-delà d’une certaine durée ou une connexion établie a échoué car l’hôte de connexion n’a pas répondu.
2018-02-12T11:19:08+01:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30093 beat.memstats.gc_next=28292832 beat.memstats.memory_alloc=18146736 beat.memstats.memory_total=103518784 libbeat.config.module.running=0 libbeat.output.type=logstash libbeat.pipeline.clients=3 libbeat.pipeline.events.active=4119 libbeat.pipeline.events.published=4116 libbeat.pipeline.events.retry=2048 libbeat.pipeline.events.total=4119 msg_file_cache.ApplicationHits=1471 msg_file_cache.ApplicationMisses=30 msg_file_cache.ApplicationSize=30 msg_file_cache.SecurityHits=1201 msg_file_cache.SecurityMisses=1 msg_file_cache.SecuritySize=1 msg_file_cache.SystemHits=1688 msg_file_cache.SystemMisses=12 msg_file_cache.SystemSize=12 uptime={"server_time":"2018-02-12T10:19:08.9926481Z","start_time":"2018-02-12T10:18:38.9005668Z","uptime":"30.0920813s","uptime_ms":"30092081"}
2018-02-12T11:19:17+01:00 INFO Stopping Winlogbeat
2018-02-12T11:19:17+01:00 INFO EventLog[System] Stop processing.
2018-02-12T11:19:17+01:00 INFO EventLog[Application] Stop processing.
2018-02-12T11:19:17+01:00 INFO EventLog[Security] Stop processing.
2018-02-12T11:19:17+01:00 INFO Total non-zero values: beat.info.uptime.ms=38843 beat.memstats.gc_next=28292832 beat.memstats.memory_alloc=18891160 beat.memstats.memory_total=104263208 libbeat.config.module.running=0 libbeat.output.type=logstash libbeat.pipeline.clients=0 libbeat.pipeline.events.active=4116 libbeat.pipeline.events.failed=284 libbeat.pipeline.events.published=4116 libbeat.pipeline.events.retry=2048 libbeat.pipeline.events.total=4400 msg_file_cache.ApplicationHits=1471 msg_file_cache.ApplicationMisses=30 msg_file_cache.ApplicationSize=30 msg_file_cache.SecurityHits=1201 msg_file_cache.SecurityMisses=1 msg_file_cache.SecuritySize=1 msg_file_cache.SystemHits=1688 msg_file_cache.SystemMisses=12 msg_file_cache.SystemSize=12 uptime={"server_time":"2018-02-12T10:19:17.7418405Z","start_time":"2018-02-12T10:18:38.9005668Z","uptime":"38.8412737s","uptime_ms":"38841273"}
2018-02-12T11:19:17+01:00 INFO Uptime: 38.8432908s
2018-02-12T11:19:17+01:00 INFO winlogbeat stopped.

Check the Logstash log to see if it is managing to start the pipeline properly. I suspect it is not.

Otherwise try changing the port number used.

i have this in my logs :
[2018-02-12T00:00:02,208][ERROR][logstash.pipeline ] A plugin had an unrecoverable error. Will restart this plugin.
Pipeline_id:main
Plugin: <LogStash::Inputs::Beats port=>9600, id=>"5b4231270cc95ff9a050d800a1b854c520f4972ac0758099e07147549b5b820b", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_bbf407c5-5175-40b6-9c90-83dd8ce74d73", enable_metric=>true, charset=>"UTF-8">, host=>"0.0.0.0", ssl=>false, ssl_verify_mode=>"none", include_codec_tag=>true, ssl_handshake_timeout=>10000, tls_min_version=>1, tls_max_version=>1.2, cipher_suites=>["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"], client_inactivity_timeout=>60, executor_threads=>8>
Error: event executor terminated

Here is the link to the docs describing the use of the 9600 port. Change port number either for the plugin or the Logstash monitoring API.

thank you it works fine with the 9900 port

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.