Topbeat from Windows not sending logs to ELK stack

Elastic Stack Beats
1

Hello,

I have a working ELK stack running on Ubuntu 16.04. Filebeat and Topbeat from another Ubuntu client are successfully shipping logs to that ELK server. Even Winlogbeat is shipping events from a Windows machine. Then I was trying to make Filebeat and Topbeat work from Windows machine, but for some reason these are not working. When I open the logs in C:\ProgramData\topbeat\Logs , I see the following:

2016-06-20T09:17:09+02:00 ERR Error getting process details. pid=14072: error getting process arguments for pid=14072: could not get CommandLine: could not get Win32_Process WHERE ProcessId = 14072: Process not found 2016-06-20T09:17:09+02:00 ERR Error getting process details. pid=14036: error getting process arguments for pid=14036: could not get CommandLine: could not get Win32_Process WHERE ProcessId = 14036: Process not found 2016-06-20T09:20:39+02:00 ERR Error getting process details. pid=15780: error getting process arguments for pid=15780: could not get CommandLine: could not get Win32_Process WHERE ProcessId = 15780: Process not found 2016-06-20T09:20:39+02:00 ERR Error getting process details. pid=6696: error getting process arguments for pid=6696: could not get CommandLine: could not get Win32_Process WHERE ProcessId = 6696: Process not found

Can anyone please help on this regard?

Best regards,
Iqbal

2

Is Topbeat shipping any events? Can you enable debug logging and post your log file.

The log lines above indicate a problem collecting the command line of only those processes. This can occur if those processes stopped in the middle of collection. Is this happening for all processes?

3

Hi,
Thanks for the reply. I have set logging to debug , But I don't see any change. Could you please have a look at my config file and review that?

input: 
  period: 10
  procs: 
    - .*
  stats: 
    cpu_per_core: false
    filesystem: true
    process: true
    system: true
logging: 
  files: 
    rotateeverybytes: 10485760
  level: debug
output: 
  elasticsearch: 
    hosts: 
      - "ELK_Server_IP:9200"
shipper: ~
4

I don't see Topbeat is sending any events.

I get the same error log, whatever the ProcessId is.

5

In your config, what is the shipper: ~ that doesn't look like a valid option. Everything else looks normal.

Can you run each of these queries against ES and post the output to confirm the number of events from topbeat.

curl -XGET 'http://ELK_Server_IP:9200/topbeat-*/process/_count'
curl -XGET 'http://ELK_Server_IP:9200/topbeat-*/filesystem/_count'
curl -XGET 'http://ELK_Server_IP:9200/topbeat-*/system/_count'

Can you please post the debug logs from Topbeat somewhere (like gist or pastebin).

6

Hey,
This is the whole config file:
---
input:
period: 10
procs:
- .*
stats:
cpu_per_core: false
filesystem: true
process: true
system: true
logging:
files:
rotateeverybytes: 10485760
level: debug
output:
elasticsearch:
hosts:
- "ELK_server_IP:9200"
shipper:
logging:

  level: debug

  files:
    
    rotateeverybytes: 10485760 # = 10MB

I have run the queries in ELK server and found the following result. I couldn't run them in Windows where Topbeat is running (maybe I don't know how to run them)

Result for process query:
{ "count": 18073858, "_shards": { "total": 100, "successful": 100, "failed": 0 } }

Result for filesystem query:
{ "count": 2457273, "_shards": { "total": 100, "successful": 100, "failed": 0 } }

Result for system query:
{ "count": 161571, "_shards": { "total": 100, "successful": 100, "failed": 0 } }

As you can see Topbeat is actually shipping some events, but I don't think these events are from Windows client, rather Ubuntu client (I have an Ubuntu client where Topbeat is running and shipping).

7

Sorry, I don't know how to do this as I am a newbie :frowning:

8

I think the log file should be located at C:\ProgramData\topbeat\Logs\topbeat and you can paste that file to pastebin.com and share it.

The aggregation query will tell us what hosts are sending data and how many of each event type.

curl -XGET  'http://ELK_server_IP:9200/topbeat-*/_search' -d'
{
  "size": 0,
  "aggs": {
    "hosts": {
      "terms": {
        "field": "beat.hostname",
        "size": 0
      },
      "aggs": {
        "types": {
          "terms": {
            "field": "type",
            "size": 0,
            "order": {
              "_count": "desc"
            }
          }
        }
      }
    }
  }
}'
9

Please see the logs here.

And if I run the aggregation query in Sense, I see events only from "rancid-test" which is my Ubuntu client.

959×634 59.3 KB

10

What version of Windows? What version of Topbeat? Did you start Topbeat as a Windows service?

The logs look a little sparse. I expected a lot more data since its running with level: debug. Did you restart Topbeat after setting the level to debug.

11

Windows 10 Enterprise
Topbeat 1.2.3
Yes, Topbeat is running as Windows Service
Yes, restarted too.

Winlogbeat is shipping events successfully from the same machine.

12

This topic was automatically closed after 21 days. New replies are no longer allowed.