Unable to send winlogbeat data to logstash

Elastic Stack Logstash
1

I have

  • Both metricbeat and winlogbeat agents installed on same AWS EC2 windows instance. I am trying to push the data to logstash. Logstash is just processing metricbeat data but not for winlogbeat.
    I am using metricbeat v6.3.1 and winlogbeat 6.3.2

Error from logstash:
[WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the
pipeline did not handle the exception

Here is the configuration for metricbeat:

#========================== Modules configuration ============================

metricbeat.modules:

#------------------------------- System Module -------------------------------

  • module: system
    metricsets: ["cpu"]
    enabled: true
    period: 10s
    processes: ['.*']

#================================ Outputs =====================================

Configure what output to use when sending the data collected by the beat.

#----------------------------- Logstash output --------------------------------
output.logstash:
hosts: ["127.0.0.1:5044"]

Configuration for winlogbeat:
#======================= Winlogbeat specific options ==========================

winlogbeat.event_logs:

  • name: Application
    ignore_older: 72h
  • name: Security
  • name: System

#================================ Outputs =====================================

Configure what output to use when sending the data collected by the beat.

#----------------------------- Logstash output --------------------------------
output.logstash:
hosts: ["127.0.0.1:5044"]

Configuration for Logstash:
input {
beats {
port => 5044
}
}

output {
amazon_es {
hosts => "search-myelasticsearch-qynnaupascgdhsm.us-east-1.es.amazonaws.com"
region => "us-east-1"
aws_access_key_id => ''
aws_secret_access_key => ''
index => "logs-%{+YYYY.MM.dd}"
}
}

Please advise what I should be doing to fix this.

2

Both metricbeat and winlogbeat agents installed on same AWS EC2 windows instance. I am trying to push the data to logstash. Logstash is just processing metricbeat data but not for winlogbeat.

Does the Winlogbeat logfile contain anything interesting? If not, try raising its loglevel.

Error from logstash:
[WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the
pipeline did not handle the exception

That's just a warning that hardly is relevant in this case. Is there anything else in the log?

3

I tried sending winlogbeat data to a different logstash instance, it worked. It looks like it is not letting me send different beat agents data to same logstash instance.

4

Here are the logs from /var/log/logstash/ when I tried to send data for both winlogbeat and metricbeat to same logstash instance.

"
[2018-08-08T00:00:22,606][INFO ][org.logstash.beats.Server] Starting server on port: 5044
[2018-08-08T00:00:28,825][ERROR][logstash.pipeline ] A plugin had an unrecoverable error. Will restart this plugin.
Pipeline_id:main
Plugin: <LogStash::Inputs::Beats type=>"wineventlog", port=>5044, id=>"12deb3eecd08e0f810ba7fdd1e851bab70a79c84305f1f7a691d32d22a866675", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>
"plain_f59a724b-9b39-441c-961a-9419fff46c3a", enable_metric=>true, charset=>"UTF-8">, host=>"0.0.0.0", ssl=>false, add_hostname=>true, ssl_verify_mode=>"none", ssl_peer_metadata=>false, include_cod
ec_tag=>true, ssl_handshake_timeout=>10000, tls_min_version=>1, tls_max_version=>1.2, cipher_suites=>["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_
ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"], client_inactivity_timeout=>60, executor_threads=>2>
Error: Address already in use
Exception: Java::JavaNet::BindException
Stack: sun.nio.ch.Net.bind0(Native Method)
sun.nio.ch.Net.bind(sun/nio/ch/Net.java:433)
sun.nio.ch.Net.bind(sun/nio/ch/Net.java:425)
sun.nio.ch.ServerSocketChannelImpl.bind(sun/nio/ch/ServerSocketChannelImpl.java:223)
io.netty.channel.socket.nio.NioServerSocketChannel.doBind(io/netty/channel/socket/nio/NioServerSocketChannel.java:128)
io.netty.channel.AbstractChannel$AbstractUnsafe.bind(io/netty/channel/AbstractChannel.java:558)
io.netty.channel.DefaultChannelPipeline$HeadContext.bind(io/netty/channel/DefaultChannelPipeline.java:1283)
io.netty.channel.AbstractChannelHandlerContext.invokeBind(io/netty/channel/AbstractChannelHandlerContext.java:501)
io.netty.channel.AbstractChannelHandlerContext.bind(io/netty/channel/AbstractChannelHandlerContext.java:486)
io.netty.channel.DefaultChannelPipeline.bind(io/netty/channel/DefaultChannelPipeline.java:989)
io.netty.channel.AbstractChannel.bind(io/netty/channel/AbstractChannel.java:254)
io.netty.bootstrap.AbstractBootstrap$2.run(io/netty/bootstrap/AbstractBootstrap.java:364)
io.netty.util.concurrent.AbstractEventExecutor.safeExecute(io/netty/util/concurrent/AbstractEventExecutor.java:163)
io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(io/netty/util/concurrent/SingleThreadEventExecutor.java:403)
io.netty.channel.nio.NioEventLoop.run(io/netty/channel/nio/NioEventLoop.java:463)
io.netty.util.concurrent.SingleThreadEventExecutor$5.run(io/netty/util/concurrent/SingleThreadEventExecutor.java:858)
io.netty.util.concurrent.FastThreadLocalRunnable.run(io/netty/util/concurrent/FastThreadLocalRunnable.java:30)
java.lang.Thread.run(java/lang/Thread.java:748)
"

5

You can't have two beats inputs listening on the same port (and there's no need for that either unless you for some reason must process the events in two different Logstash pipelines).

6

Thank you.
Do you mean that we can send data from same source for 2 different beats agents on different ports to same logstash instance?
If above is true, how do we then achieve this?

Config should be something like this?
input {
beats {
port => 5044
}
}

output {
amazon_es {
hosts => "search-myelasticsearch-qynnaupascgdhsm.us-east-1.es.amazonaws.com"
region => "us-east-1"
aws_access_key_id => ''
aws_secret_access_key => ''
index => "metriclogs-%{+YYYY.MM.dd}"
}
}

input {
beats {
port => 5043
}
}

output {
amazon_es {
hosts => "search-myelasticsearch-qynnaupascgdhsm.us-east-1.es.amazonaws.com"
region => "us-east-1"
aws_access_key_id => ''
aws_secret_access_key => ''
index => "wineventlogs-%{+YYYY.MM.dd}"
}
}

7

Do you mean that we can send data from same source for 2 different beats agents on different ports to same logstash instance?

Yes, but I see no reason to use different ports.

This thread is very similar to a lengthy thread from yesterday and I don't want to repeat myself: How to split linux and windows data in two different indexes

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.