I am very new to the ELK stack and Beats. I have a ELK stack setup on a Windows 2012 R2 server and am collecting winlogbeat, packetbeat and topbeat from the host of the ELK stack. I'm now trying to add winlogbeat to one of my domain controllers. The ELK host and DC are on the same subnet, I've installed the winlogbeat service and here is the .yml I'm using:
winlogbeat: registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml event_logs: - name: Application - name: Security - name: System output: logstash: hosts: ["10.20.1.27:5045"] logging: to_files: true files: path: C:/ProgramData/winlogbeat/Logs level: info
In the winlogbeat / logs file I see the following log error:
2016-07-29T09:45:53-07:00 INFO Connecting error publishing events (retrying): dial tcp 10.20.1.27:5045: connectex: No connection could be made because the target machine actively refused it. 2016-07-29T09:45:53-07:00 INFO send fail 2016-07-29T09:45:53-07:00 INFO backoff retry: 1m0s
By target, I assume it means the ELK host. I've tried turning off the windows Firewall, no AV is installed currently and there are no Policies on the network that would prevent this traffic from hitting the host.
Any help would be appreciated.