Using both Filebeat and Winlogbeat

kernelpanic · October 11, 2017, 7:13am

Hello all, I'm using both Filebeat and Winlogbeat to send events to Logstash which then forwards them to Elasticsearch nodes, however whilst my Winlogbeat events are being indexed in Elasticsearch I cannot find anything for Filebeat

Relevant Filebeat config:

output.logstash:
  # The Logstash hosts
  hosts: ["192.168.56.227:5045"]

Relevant Logstash config:

input {
  beats {
    client_inactivity_timeout => 1200
    port => 5044
    type => wineventlog
  }
  beats {
    client_inactivity_timeout => 1200
    port => 5045
    type => filebeat

..........................................................................................

output {
  if [type] == "wineventlog" {
   elasticsearch {
     hosts => ["192.168.56.226:9200", "192.168.52.251:9200", "192.168.52.252:9200"]
     manage_template => false
     index => "%{[@metadata][beat]}-%{+YYYY.MM}"
     document_type => "%{[@metadata][type]}"
   }
  }

if [type] == "filebeat" {
   elasticsearch {
     hosts => ["192.168.56.226:9200", "192.168.52.251:9200", "192.168.52.252:9200"]
     manage_template => false
     index => "%{[@metadata][beat]}-%{+YYYY.MM}"
     document_type => "%{[@metadata][type]}"
   }
  }

Running netstat on the Logstash box shows the filebeat client IP connecting on port 5045, can anyone explain why I'm not seeing a filebeat- index in Elasticsearch?

Thanks for any help.

steffens · October 11, 2017, 10:24am

Can you share filebeat logs?

You apply some kind of filtering chocking on filebeat input?

Btw. you don't extra ports to distinguish between filebeat and winlogbeat (especially on outputs). You can use [@metadata][beat] for filtering. This simplifies you configuration to:

input {
  beats {
    client_inactivity_timeout => 1200
    port => 5044
  }
}

output {
  elasticsearch {
     hosts => ["192.168.56.226:9200", "192.168.52.251:9200", "192.168.52.252:9200"]
     manage_template => false
     index => "%{[@metadata][beat]}-%{+YYYY.MM}"
     document_type => "%{[@metadata][type]}"
   }
}

kernelpanic · October 11, 2017, 11:48am

Thanks for you help Steffen, I changed the Logstash config as you suggested so there was just one beats input on port 5044; I then stopped the filebeat service on the client, deleted the registry file and log file then restarted the service - I can can now see a filebeat- index with the expected data in it.

Thanks once again.

system · November 8, 2017, 11:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat via Logstash into Elasticsearch Logstash	18	7717	July 22, 2017
Unable to see winlogbeat events Beats winlogbeat	8	1701	July 31, 2020
Winlogbeat events not showing in AWS Elasticsearch Beats winlogbeat	7	1545	September 13, 2018
Why do I see the winlogbeat fields in Filebeat indexes after creating the winlogbeat index? Beats filebeat , winlogbeat	3	570	November 10, 2020
Shipping Logs to Logstash not Working Beats winlogbeat	4	1460	November 3, 2017

Using both Filebeat and Winlogbeat

Related Topics