Winlogbart 6.0.1- Logstash beats parser error

Raj_Kumar · February 12, 2018, 2:41pm

Hi All,

Iam trying to send the windows events using winlogbeat to logstash, all the four components have 6.0.1 version.

Logstash conf


input {
  beats {
    port => 5547
    tags => "windows"
  }
}




output {
    if ( "windows" in [tags] ) {
    elasticsearch {
      index => "winlogbeat-%{+YYYY.MM.dd}"
       hosts => ["https://localhost:9200"]
      cacert => '/usr/share/elasticsearch/bin/x-pack/ca/ca.crt'
      ssl_certificate_verification => false
      ssl => true
      user => "xxxx"
      password => "xxx"
     }
  }
}

Am getting this message in logstash-plain.log

[2018-02-12T09:26:00,366][INFO ][logstash.inputs.metrics  ] Monitoring License OK
[2018-02-12T09:26:05,797][INFO ][org.logstash.beats.BeatsHandler] [local: 0.0.0.0:5547, remote: x.x.x.x:53209] Handling exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 69
[2018-02-12T09:26:05,800][INFO ][org.logstash.beats.BeatsHandler] [local: 0.0.0.0:5547, remote: x.x.x.x:53209] Handling exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 84

Am not sure whats the mistake,I have made please do let me know to fix this issue.
Thanks,
Raj

magnusbaeck · February 13, 2018, 7:54am

What does your Winlogbeat configuration look like? Make sure you format the YAML as preformatted text so we can see the exact formatting.

Raj_Kumar · February 13, 2018, 8:29am

Sure thanks Magnus , I will look in to that

system · March 13, 2018, 8:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.