Problems with winlogbeat

gaudi71240 · February 12, 2018, 9:16am

Hello i have install ELK Stack in version 6.2 with centos

when i want to send the logs of my windows server it goes this way at logstash service logs :

2018-02-09T10:20:40+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:40+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:40+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:41+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:41+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:41+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:42+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:42+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:42+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:43+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:43+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:43+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:44+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:44+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:44+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:45+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:45+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:45+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:46+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:46+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:46+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:47+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:47+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:47+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:48+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:48+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:49+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:50+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:50+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:50+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:51+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:51+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:51+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:52+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:52+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:52+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:53+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:53+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:53+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:54+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:54+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:54+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:55+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:55+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:55+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:56+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:56+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:56+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:57+01:00 ERR Failed to publish events: client is not connected
2018-02-09T10:20:57+01:00 ERR Failed to publish events caused by: lumberjack protocol error
2018-02-09T10:20:57+01:00 ERR Failed to publish events caused by: client is not connected
2018-02-09T10:20:58+01:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30007 beat.memstats.gc_next=33277648 beat.memstats.memory_alloc=28613136 beat.memstats.memory_total=5302610656 libbeat.config.module.running=0 libbeat.output.events.batches=54 libbeat.output.events.failed=110592 libbeat.output.events.total=110592 libbeat.output.read.bytes=162 libbeat.output.write.bytes=7769140 libbeat.pipeline.clients=3 libbeat.pipeline.events.active=4119 libbeat.pipeline.events.retry=165888 uptime={"server_time":"2018-02-09T09:20:58.621575Z","start_time":"2018-02-09T08:54:58.3298457Z","uptime":"26m0.2917293s","uptime_ms":"1560291729"}
2018-02-09T10:21:01+01:00 INFO Stopping Winlogbeat
2018-02-09T10:21:01+01:00 INFO EventLog[System] Stop processing.
2018-02-09T10:21:01+01:00 INFO EventLog[Application] Stop processing.
2018-02-09T10:21:01+01:00 INFO EventLog[Security] Stop processing.
2018-02-09T10:21:01+01:00 INFO Total non-zero values: beat.info.uptime.ms=1562846 beat.memstats.gc_next=33279568 beat.memstats.memory_alloc=25416048 beat.memstats.memory_total=5315037304 libbeat.config.module.running=0 libbeat.output.events.batches=2670 libbeat.output.events.failed=5468160 libbeat.output.events.total=5468160 libbeat.output.read.bytes=8010 libbeat.output.type=logstash libbeat.output.write.bytes=384536808 libbeat.output.write.errors=13 libbeat.pipeline.clients=0 libbeat.pipeline.events.active=4116 libbeat.pipeline.events.failed=284 libbeat.pipeline.events.published=4116 libbeat.pipeline.events.retry=8208384 libbeat.pipeline.events.total=4400 msg_file_cache.ApplicationHits=1487 msg_file_cache.ApplicationMisses=15 msg_file_cache.SecurityHits=1304 msg_file_cache.SecurityMisses=1 msg_file_cache.SystemHits=1588 msg_file_cache.SystemMisses=12 uptime={"server_time":"2018-02-09T09:21:01.3609922Z","start_time":"2018-02-09T08:54:58.3298457Z","uptime":"26m3.0311465s","uptime_ms":"1563031146"}
2018-02-09T10:21:01+01:00 INFO Uptime: 26m2.8461726s
2018-02-09T10:21:01+01:00 INFO winlogbeat stopped.

do you have any idea what this can come from
thanks for your help

Christian_Dahlqvist · February 12, 2018, 9:27am

What does your Logstash config look like? What does your Winlogbeat config look like?

gaudi71240 · February 12, 2018, 9:53am

for logstash i just changed the ip and for winlogbeat I put the logstash IP and the port

gaudi71240 · February 12, 2018, 9:55am

my config .cfg :

input {
beats {
port => 9600
}
}

output {
if [type] == "wineventlog" {
elasticsearch { hosts => ["http://172.20.15.80:9200"]
index => "logstash-winlogbeat-%{+YYYY.MM.dd}"
}
}
}

Christian_Dahlqvist · February 12, 2018, 10:03am

In recent versions of Logstash I believe port 9600 is used by Logstash, so I am not sure a Beats plugin can use this. If so, there should be something in the Logstash logs though. Can you try using a different port?

gaudi71240 · February 12, 2018, 10:17am

i have this right now

2018-02-12T11:15:46+01:00 INFO Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\ProgramData\winlogbeat\logs]
2018-02-12T11:15:46+01:00 INFO Beat UUID: a0a3b61a-748d-417d-ac6c-7952dd8c7ef8
2018-02-12T11:15:46+01:00 INFO Setup Beat: winlogbeat; Version: 6.1.3
2018-02-12T11:15:46+01:00 INFO Beat name: RDS4
2018-02-12T11:15:46+01:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat.winlogbeat.yml
2018-02-12T11:15:46+01:00 INFO winlogbeat start running.
2018-02-12T11:15:59+01:00 INFO Stopping Winlogbeat
2018-02-12T11:15:59+01:00 INFO EventLog[System] Stop processing.
2018-02-12T11:15:59+01:00 INFO EventLog[Application] Stop processing.
2018-02-12T11:15:59+01:00 INFO EventLog[Security] Stop processing.
2018-02-12T11:15:59+01:00 INFO Total non-zero values: beat.info.uptime.ms=12668 beat.memstats.gc_next=27438992 beat.memstats.memory_alloc=20666872 beat.memstats.memory_total=104813784 libbeat.config.module.running=0 libbeat.output.type=logstash libbeat.pipeline.clients=0 libbeat.pipeline.events.active=4116 libbeat.pipeline.events.failed=284 libbeat.pipeline.events.published=4116 libbeat.pipeline.events.total=4400 msg_file_cache.ApplicationHits=1471 msg_file_cache.ApplicationMisses=30 msg_file_cache.ApplicationSize=30 msg_file_cache.SecurityHits=1202 msg_file_cache.SecurityMisses=1 msg_file_cache.SecuritySize=1 msg_file_cache.SystemHits=1688 msg_file_cache.SystemMisses=12 msg_file_cache.SystemSize=12 uptime={"server_time":"2018-02-12T10:15:59.4108292Z","start_time":"2018-02-12T10:15:46.7432977Z","uptime":"12.6675315s","uptime_ms":"12667531"}
2018-02-12T11:15:59+01:00 INFO Uptime: 12.668133s
2018-02-12T11:15:59+01:00 INFO winlogbeat stopped.

gaudi71240 · February 12, 2018, 10:20am

and this

2018-02-12T11:18:38+01:00 INFO Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\ProgramData\winlogbeat\logs]
2018-02-12T11:18:38+01:00 INFO Metrics logging every 30s
2018-02-12T11:18:38+01:00 INFO Beat UUID: a0a3b61a-748d-417d-ac6c-7952dd8c7ef8
2018-02-12T11:18:38+01:00 INFO Setup Beat: winlogbeat; Version: 6.1.3
2018-02-12T11:18:38+01:00 INFO Beat name: RDS4
2018-02-12T11:18:38+01:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat.winlogbeat.yml
2018-02-12T11:18:38+01:00 INFO winlogbeat start running.
2018-02-12T11:19:01+01:00 ERR Failed to connect: dial tcp 172.20.15.80:9800: connectex: Une tentative de connexion a Ã©chouÃ© car le parti connectÃ© nâ€™a pas rÃ©pondu convenablement au-delÃ dâ€™une certaine durÃ©e ou une connexion Ã©tablie a Ã©chouÃ© car lâ€™hÃ´te de connexion nâ€™a pas rÃ©pondu.
2018-02-12T11:19:08+01:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30093 beat.memstats.gc_next=28292832 beat.memstats.memory_alloc=18146736 beat.memstats.memory_total=103518784 libbeat.config.module.running=0 libbeat.output.type=logstash libbeat.pipeline.clients=3 libbeat.pipeline.events.active=4119 libbeat.pipeline.events.published=4116 libbeat.pipeline.events.retry=2048 libbeat.pipeline.events.total=4119 msg_file_cache.ApplicationHits=1471 msg_file_cache.ApplicationMisses=30 msg_file_cache.ApplicationSize=30 msg_file_cache.SecurityHits=1201 msg_file_cache.SecurityMisses=1 msg_file_cache.SecuritySize=1 msg_file_cache.SystemHits=1688 msg_file_cache.SystemMisses=12 msg_file_cache.SystemSize=12 uptime={"server_time":"2018-02-12T10:19:08.9926481Z","start_time":"2018-02-12T10:18:38.9005668Z","uptime":"30.0920813s","uptime_ms":"30092081"}
2018-02-12T11:19:17+01:00 INFO Stopping Winlogbeat
2018-02-12T11:19:17+01:00 INFO EventLog[System] Stop processing.
2018-02-12T11:19:17+01:00 INFO EventLog[Application] Stop processing.
2018-02-12T11:19:17+01:00 INFO EventLog[Security] Stop processing.
2018-02-12T11:19:17+01:00 INFO Total non-zero values: beat.info.uptime.ms=38843 beat.memstats.gc_next=28292832 beat.memstats.memory_alloc=18891160 beat.memstats.memory_total=104263208 libbeat.config.module.running=0 libbeat.output.type=logstash libbeat.pipeline.clients=0 libbeat.pipeline.events.active=4116 libbeat.pipeline.events.failed=284 libbeat.pipeline.events.published=4116 libbeat.pipeline.events.retry=2048 libbeat.pipeline.events.total=4400 msg_file_cache.ApplicationHits=1471 msg_file_cache.ApplicationMisses=30 msg_file_cache.ApplicationSize=30 msg_file_cache.SecurityHits=1201 msg_file_cache.SecurityMisses=1 msg_file_cache.SecuritySize=1 msg_file_cache.SystemHits=1688 msg_file_cache.SystemMisses=12 msg_file_cache.SystemSize=12 uptime={"server_time":"2018-02-12T10:19:17.7418405Z","start_time":"2018-02-12T10:18:38.9005668Z","uptime":"38.8412737s","uptime_ms":"38841273"}
2018-02-12T11:19:17+01:00 INFO Uptime: 38.8432908s
2018-02-12T11:19:17+01:00 INFO winlogbeat stopped.

Christian_Dahlqvist · February 12, 2018, 10:21am

Check the Logstash log to see if it is managing to start the pipeline properly. I suspect it is not.

Otherwise try changing the port number used.

gaudi71240 · February 12, 2018, 10:24am

i have this in my logs :
[2018-02-12T00:00:02,208][ERROR][logstash.pipeline ] A plugin had an unrecoverable error. Will restart this plugin.
Pipeline_id:main
Plugin: <LogStash::Inputs::Beats port=>9600, id=>"5b4231270cc95ff9a050d800a1b854c520f4972ac0758099e07147549b5b820b", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_bbf407c5-5175-40b6-9c90-83dd8ce74d73", enable_metric=>true, charset=>"UTF-8">, host=>"0.0.0.0", ssl=>false, ssl_verify_mode=>"none", include_codec_tag=>true, ssl_handshake_timeout=>10000, tls_min_version=>1, tls_max_version=>1.2, cipher_suites=>["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"], client_inactivity_timeout=>60, executor_threads=>8>
Error: event executor terminated

Christian_Dahlqvist · February 12, 2018, 10:27am

Here is the link to the docs describing the use of the 9600 port. Change port number either for the plugin or the Logstash monitoring API.

gaudi71240 · February 12, 2018, 10:46am

thank you it works fine with the 9900 port

system · March 12, 2018, 10:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.