I am very new to the ELK stack and Beats. I have a ELK stack setup on a Windows 2012 R2 server and am collecting winlogbeat, packetbeat and topbeat from the host of the ELK stack. I'm now trying to add winlogbeat to one of my domain controllers. The ELK host and DC are on the same subnet, I've installed the winlogbeat service and here is the .yml I'm using:
In the winlogbeat / logs file I see the following log error:
2016-07-29T09:45:53-07:00 INFO Connecting error publishing events (retrying): dial tcp 10.20.1.27:5045: connectex: No connection could be made because the target machine actively refused it. 2016-07-29T09:45:53-07:00 INFO send fail 2016-07-29T09:45:53-07:00 INFO backoff retry: 1m0s
By target, I assume it means the ELK host. I've tried turning off the windows Firewall, no AV is installed currently and there are no Policies on the network that would prevent this traffic from hitting the host.
I am NOT able to telnet from the Winlogbeat host to the Logstash server on that port, I can telnet to it on the default telnet port and even on 5601 which is the web host port. I've turned off windows firewall on both source and destination, there is no AV on either server currently.
Not sure why with windows firewall off on both clients and no AV why I can not telnet to it on any port I want. Well... Can I use 5601 to send my logs? Or is that only for the web host?
Are you sure Logstash is both running and listening on 5045? Check that the process is still running. If not check the logs and post the config. Also check the output of netstat to verify that there is a tcp port listening on 0.0.0.0:5045.
No, that's the Kibana web server. It doesn't accept data from Beats.
Thanks for the documentation links. I went through both of those and made the necessary changes. After making the changes my Kibana is returning the following error:
Something interesting is that with the other beats files such as winlogbeat, topbeat, packetbeat, I see those in the Windows C:\ProgramData folder with Logs in each, however logstash is not listed in C:\ProgramData. Not sure if that is normal, but doesn't seem consistent.
Logstash writes to stdout by default. So you want to get more verbose information logged to stdout you can add flags like --verbose or --debug, and if you want that data logged to a file you can use --log FILE. See Logstash Command-line flags.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.