Not sure I ran this correctly but...
I updated winlogbeat.yml to output to logstash instead of elasticsearch
Question: <<< Should the winlogbeat.yml file contain logstash username/pwd? ..And if so should it be logstash_user based upon the x-pack security lab guide?
output.logstash:
hosts: ["192.168.1.35:5044"]
index: winlogbeat
Next updated logstash config to:
input {
beats {
port => 5044
}
}
output {
stdput { codec => rubydebug }
}
then from Admin Powershell I ran command: .\bin\logstash -f logstash.conf, which produced...
C:\ELK\logstash-5.3.0> .\bin\logstash -f logstash.conf
Could not find log4j2 configuration at path /ELK/logstash-5.3.0/config/log4j2.properties. Using default config which logs to console
09:51:38.223 [[.monitoring-logstash]-pipeline-manager] INFO logstash.outputs.elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>http://logstash_system:xxxxxx@localhost:9200/_xpack/monitoring/?system_id=logstash&system_api_version=2&interval=1s]}}
09:51:38.238 [[.monitoring-logstash]-pipeline-manager] INFO logstash.outputs.elasticsearch - Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_system:xxxxxx@localhost:9200/, :path=>"/"}
log4j:WARN No appenders could be found for logger (org.apache.http.client.protocol.RequestAuthCache).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See Apache log4j 1.2 - Frequently Asked Technical Questions for more info.
09:51:40.542 [[.monitoring-logstash]-pipeline-manager] WARN logstash.outputs.elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0xad33314 URL:http://logstash_system:xxxxxx@localhost:
9200/_xpack/monitoring/?system_id=logstash&system_api_version=2&interval=1s>, :error_type=>LogStash::Outputs::Elasticsearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://logstash_system:xxxxxx@localhos
t:9200/][Manticore::SocketException] Connection refused: connect"}
09:51:40.557 [[.monitoring-logstash]-pipeline-manager] INFO logstash.outputs.elasticsearch - New Elasticsearch output {
:class=>"LogStash::Outputs::Elasticsearch", :hosts=>[#<URI::HTTP:0x67e453bb URL:http://localhost:9200>]}
09:51:40.557 [[.monitoring-logstash]-pipeline-manager] INFO logstash.pipeline - Starting pipeline {"id"=>".monitoring-logstash", "pipeline.workers"=>1, "pipeline.batch.size"=>2, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>2}
09:51:40.557 [[.monitoring-logstash]-pipeline-manager] INFO logstash.pipeline - Pipeline .monitoring-logstash started
09:51:40.573 [[main]-pipeline-manager] INFO logstash.pipeline - Starting pipeline {"id"=>"main", "pipeline.workers"=>8,
"pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>1000}
09:51:41.403 [[main]-pipeline-manager] INFO logstash.inputs.beats - Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
09:51:41.528 [[main]-pipeline-manager] INFO logstash.pipeline - Pipeline main started
09:51:41.669 [Api Webserver] INFO logstash.agent - Successfully started Logstash API endpoint {:port=>9600}
09:51:45.601 [Ruby-0-Thread-5: C:/ELK/logstash-5.3.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-6.2.6-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:222] INFO logstash.outputs.elasticsearch - Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_system:xxxxxx@localhost:9200/, :path=>"/"}
09:51:47.640 [Ruby-0-Thread-5: C:/ELK/logstash-5.3.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-6.2.6-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:222] WARN logstash.outputs.elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x64655cee URL:http://logstash_system:xxxxxx@localhost:9200/_xpack/monitoring/?system_id=logstash&system_api_version=2&interval=1s>, :error_type=>LogStash::Outputs::E
lasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://logstash_system:xxxxxx@localhost:9200/][Manticore::SocketException] Connection refused: connect"}
09:51:48.437 [[main]<beats] ERROR logstash.pipeline - A plugin had an unrecoverable error. Will restart this plugin.
Plugin: <LogStash::Inputs::Beats port=>5044, id=>"6f164141d0488801eb88cf02c3ad2332d4a9697d-1", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_6c4a974d-e114-4f30-99fb-a0cd8c0e4b8f", enable_metric=>true, charset=>"UTF-8">,
host=>"0.0.0.0", ssl=>false, ssl_verify_mode=>"none", include_codec_tag=>true, ssl_handshake_timeout=>10000, congestion_threshold=>5, target_field_for_codec=>"message", tls_min_version=>1, tls_max_version=>1.2, cipher_suites=>["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_E
CDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"], client_inactivity_timeout=>60> Error: Address already in use: bind