Unable to Send Windows Events to Logstash-WinlogBeats S0LVED

Elastic Stack Beats
1

I installed windowsbeats

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System
winlogbeat.registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
output.logstash:
  # The Logstash hosts
  hosts: ["ekl1.test1.com:5044"]
  ssl.enabled: true
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ['C:\\Users/Administrator\\Documents\\logstash.crt']

logstash.yml

input {
    beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash.crt"
    ssl_key => "/etc/pki/tls/private/logstash.key"

  }
}

output {
    elasticsearch {
        hosts => ["https://ekl1.test1.com:9200"]
        index => "client02-eventviewer-%{+YYYY.MM.dd}"
        user => logstash
        password => "logstash"
        ssl => true
        ssl_certificate_verification => true
        cacert => "/etc/logstash/root-ca.pem"

    }
}

On windows i have no errors:
PS C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64> .\winlogbeat.exe test config -c 'C:\Program Files\Winlogbeat\winlogbeat.yml' -e -v -d "*"
2019-03-29T14:08:58.306Z INFO instance/beat.go:612 Home path: [C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64] Config path: [C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64] Data path: [C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64\data] Logs path: [C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64\logs]
2019-03-29T14:08:58.360Z DEBUG [beat] instance/beat.go:649 Beat metadata path: C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64\data\meta.json
2019-03-29T14:08:58.363Z INFO instance/beat.go:619 Beat UUID: 143ba989-facf-4945-a063-1c61f0f12b99
2019-03-29T14:08:58.364Z INFO [beat] instance/beat.go:932 Beat info {"system_info": {"beat": {"path": {"config": "C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64", "data": "C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64\data", "home": "C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64", "logs": "C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64\logs"}, "type": "winlogbeat", "uuid": "143ba989-facf-4945-a063-1c61f0f12b99"}}}
2019-03-29T14:08:58.364Z INFO [beat] instance/beat.go:941 Build info {"system_info": {"build": {"commit": "14ca49c28a6e10b84b4ea8cdebdc46bd2eab3130", "libbeat": "6.7.0", "time": "2019-03-21T14:50:24.000Z", "version": "6.7.0"}}}
2019-03-29T14:08:58.366Z INFO [beat] instance/beat.go:944 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":2,"version":"go1.10.8"}}}
2019-03-29T14:08:58.378Z INFO [beat] instance/beat.go:948 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-03-29T10:37:12.97Z","name":"EC2AMAZ-AST8S7O","ip":["fe80::14e4:260f:2db6:94b9/64","172.31.47.146/20","::1/128","127.0.0.1/8"],"kernel_version":"10.0.17763.379 (WinBuild.160101.0800)","mac":["0e:80:2c:82:2f:8e"],"os":{"family":"windows","platform":"windows","name":"Windows Server 2019 Datacenter","version":"10.0","major":10,"minor":0,"patch":0,"build":"17763.379"},"timezone":"GMT","timezone_offset_sec":0,"id":"b004a2a4-3773-4c13-ada9-90e7b7fa103c"}}}
2019-03-29T14:08:58.383Z INFO [beat] instance/beat.go:977 Process info {"system_info": {"process": {"cwd": "C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64", "exe": "C:\Users\Administrator\Downloads\winlogbeat-6.7.0-windows-x86_64\winlogbeat-6.7.0-windows-x86_64\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 992, "ppid": 520, "start_time": "2019-03-29T14:08:58.235Z"}}}
2019-03-29T14:08:58.384Z INFO instance/beat.go:280 Setup Beat: winlogbeat; Version: 6.7.0
2019-03-29T14:08:58.386Z DEBUG [beat] instance/beat.go:301 Initializing output plugins
2019-03-29T14:08:58.387Z DEBUG [processors] processors/processor.go:66 Processors:
2019-03-29T14:08:58.388Z DEBUG [tls] tlscommon/tls.go:155 successfully loaded CA certificate: C:\Users/Administrator\Documents\logstash.crt
2019-03-29T14:08:58.389Z DEBUG [publish] pipeline/consumer.go:137 start pipeline event consumer
2019-03-29T14:08:58.390Z INFO [publisher] pipeline/module.go:110 Beat name: EC2AMAZ-AST8S7O
2019-03-29T14:08:58.391Z INFO beater/winlogbeat.go:68 State will be read from and persisted to C:/ProgramData/winlogbeat/.winlogbeat.yml
2019-03-29T14:08:58.394Z DEBUG [eventlog] eventlog/factory.go:147 Using highest priority API, wineventlog, for event log Application
2019-03-29T14:08:58.395Z DEBUG [winlogbeat] beater/winlogbeat.go:95 Initialized EventLog[Application]
2019-03-29T14:08:58.395Z DEBUG [processors] processors/processor.go:66 Processors:
2019-03-29T14:08:58.397Z DEBUG [eventlog] eventlog/factory.go:147 Using highest priority API, wineventlog, for event log Security
2019-03-29T14:08:58.398Z DEBUG [winlogbeat] beater/winlogbeat.go:95 Initialized EventLog[Security]
2019-03-29T14:08:58.400Z DEBUG [processors] processors/processor.go:66 Processors:
2019-03-29T14:08:58.401Z DEBUG [eventlog] eventlog/factory.go:147 Using highest priority API, wineventlog, for event log System
2019-03-29T14:08:58.401Z DEBUG [winlogbeat] beater/winlogbeat.go:95 Initialized EventLog[System]
2019-03-29T14:08:58.404Z DEBUG [processors] processors/processor.go:66 Processors:
Config OK

Also no errors in logstash logs,. i can access to logstash on port 5044 from Windows machine

2

Stupid me !, after a while errors stated to appear in log files, it was SSL certs mismatch, once i solved it, data stared to appear in ElasticSearch

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.