Unable to see winlogbeat events

Elastic Stack Beats
1

Hi,

I'm new to Elasticsearch and configured 7 version running on CentOS 7. Trying to configure windows server to send event logs to ESS server but I'm not able to see any events under winlogbeat index pattern.

Below is my winlogbeat.yml file.

    winlogbeat.event_logs:
      - name: Application
      - name: System
      - name: Security

    setup.template.settings:
      index.number_of_shards: 1

    setup.kibana:
      host: "ESS_IP:5601"

    output.logstash:
      hosts: ["ESS_IP:5044"]

    processors:
      - add_host_metadata: ~
      - add_cloud_metadata: ~
      - add_docker_metadata: ~

Please help on this.

2

hi @nkrshna, you need to configure the output.elasticsearch (https://www.elastic.co/guide/en/beats/winlogbeat/current/elasticsearch-output.html), I see you are sending the events to Logstash instead.

3

@MarianaD Thanks for the reply.

I have made changes as below.

    winlogbeat.event_logs:
      - name: Application
      - name: System
      - name: Security

    setup.template.settings:
      index.number_of_shards: 1

    setup.kibana:
      host: "ESS_IP:5601"

    output.elasticsearch:
      hosts: ["ESS_IP:9200"]

    processors:
      - add_host_metadata: ~
      - add_cloud_metadata: ~
      - add_docker_metadata: ~

I Kibana how can i check the data, completely new to Elasticsearch.

4

hi @nkrshna, you can use the Dev Tools console and query for any winlogbeat events:
https://www.elastic.co/guide/en/kibana/current/console-kibana.html

GET winlogbeat*/_search

should do the trick.
I

5

Thanks @MarianaD. I have tried the same in Dev tools but got below output. I think there is no data being parsed.

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 0,
    "successful" : 0,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 0,
      "relation" : "eq"
    },
    "max_score" : 0.0,
    "hits" : [ ]
  }
}
6

hi @nkrshna, can you check the winlogbeat logs and the elasticsearch logs, they will most likely tell you more on the reason. If there is no relevant info in the logs can you enable the debug level and retry.

7

Hi @MarianaD i have gone through once again on winlogbeat configuration and i see that error when executed below code in windows systems as administrator in powershell.

PS > .\winlogbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

Error message as

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at http://localhost:9200: Get http://localhost:9200: dial tcp [::1]:9200: connectex: No connection could be made because the target machine actively refused it.]
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["Elasticsearch_IP:9200"]'
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at http://Elasticsearch_IP:9200: Get http://Elasticsearch_IP:9200: dial tcp Elasticsearch_IP:9200: connectex: No connection could be made because the target machine actively refused it.]

Can you help further on this ?

8

After setting network.host: 0.0.0.0 in elasticsearch.yml file and restarting elasticsearch service issue got resolved and Windows events are reflecting in the portal.

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.