Unable to see logs when sending through Logstash

fab · December 7, 2017, 2:21pm

Hi,
i'm trying to send windows logs through winlogbeat directly to logstash. Everything is done locally from Windows 10 to a VM with Centos 7.

winlogbeat.yml file in windows

output.logstash:
hosts: ["192.168.88.129:5044"]

logstash.conf file in centos

input {
  beats {
    port => 5044
  }
}

# The filter part of this file is commented out to indicate that it is
# optional.
# filter {
#
# }

output {
  elasticsearch {
    hosts => "localhost"
    index => "logstash-%{+YYYY-MM-dd}"
  }
}

With a tcdump on port 5044 i saw that logs arrives but i'm still not able to see an index created on elasticsearch or data on kibana.
Someone can help me?

andrewkroh · December 8, 2017, 4:02pm

See the Logstash output configuration that is recommended in our Getting Started documentation: https://www.elastic.co/guide/en/beats/libbeat/6.0/logstash-installation.html#logstash-setup

output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" 
    document_type => "%{[@metadata][type]}" 
  }
}

Additionally make sure that you manually install the Elasticsearch index template because it won't be auto installed when routing the data through LS.

fab · December 12, 2017, 11:12am

Probably the problem is with the index template that i have to create.
Have i to export the index template from windows (where i have winlogbeat directly connected with logstash) and install it in centos (where elk is installed)?

system · January 9, 2018, 11:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.