Unable to get winlogbeat to send to logstash

andrewkroh · April 25, 2017, 9:52pm

If any Winlogbeat is sending data directly to ES then it will have automatically installed the index template for you. When going though Logstash, Winlogbeat isn't able to directly communicate to ES so you have to do it yourself (we might improve this in the future by proxying the template through LS).

You can check that the winlogbeat template is installed with this command which will return the contents of the templates matching the name "winlogbeat*".

GET _template/winlogbeat* (that's the kibana dev console syntax)

Greenie · April 25, 2017, 9:58pm

from powershell I ran command: .\bin\logstash-plugin list
and it showed logstash-input-beats within the list. Since all versions of the stack are the same I am assuming it is also the same (version 5.3.0)

andrewkroh · April 26, 2017, 2:10pm

To show plugin versions in Logstash you need to add --version (reference). But the plugin version it ships with should be fine.

Greenie · April 26, 2017, 6:47pm

ran command: .\bin\logstash-plugin list --verbose
Result: logstash-input-beats (3.1.12)

ran command: .\bin\logstash-plugin remove logstash-input-beats
Result: Successfully removed logstash-input-beats

Downloaded:

Copied downloaded file "logstash-input-beats-master.zip" to C:\ELK\logstash-5.3.0
ran command: .\bin\logstash-plugin install --no-verify
Result: Error Bundler::Install Error...Make sure that 'gem install logstash-core-event-java -v '5.3.0' succeeds before bundling.

I found the bundler-1.9.10 folder and ran .\bundle install from powershell and it asks how I want to open this file, I would assume jruby, but would definitely appreciate any assistance getting past this so I'm not spinning my wheels any longer.

andrewkroh · April 26, 2017, 7:07pm

The beats plugin version that LS ships with is fine. So I wouldn't try to update it. Just use the stock download.

Greenie · April 26, 2017, 8:50pm

I had already removed it, since the version showed up 3.1.12...I was under the impression that all of the versions should match and it needed to be removed and the new one installed.

...So now what do you recommend?

andrewkroh · April 26, 2017, 9:36pm

Delete the logstash directory and replace it with a clean copy from the 5.3 zip you download.

Greenie · April 26, 2017, 9:49pm

OK I think I'm back on track..clean copy back in place and logstash-input-beats (3.1.12) is showing up again.

Greenie · April 27, 2017, 6:33pm

Andrew -
I want to thank you for helping me stumble through this. I found that I was missing one quote in the logstash config that was not allowing the winlogbeat data to get to elasticsearch...pretty frustrating, but thanks again for sticking with me on this. I think I was making it more complicated than it needed to be. Cheerz!

system · May 25, 2017, 6:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.