Winlogbeat does not send logs to Logstash

student · May 9, 2018, 8:30am

Hi

I've recently been trying to make it so Winlogbeat sends it's logs to Logstash but nothing is happening. Then I tried to send logs directly to Elasticsearch and it works. I don't know what the problem is.
I've checked my firewall and there is nothing blocking it.

Logstash configuration:

input {
tcp {
port => 5001
}
}

filter {
grok {
match => [ 'TimeCreated', "Date(%{NUMBER:timestamp})" ]
}
date {
match => [ 'timestamp', 'UNIX_MS' ]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => ["winlogbeat"]
}
}

Logstash says in the logs that it's listening on port 5001 for tcp. I've also changed the Winlogbeat output to send with tcp to port 5001.
I also tried to use beats instead of tcp but nothing differed, it still didn't get any input.
To simplify I have not used any SSL, user authentication or anything else that might bother the connection.

exekias · May 9, 2018, 10:26am

Hi @student,

If there is an error you will probably see it in Winlogbeat logs, did you have a look to them?

Best regards

student · May 9, 2018, 11:56am

Hi

Thank you I didn't know that you have to specify that you want logs from winlogbeat.
Is there a way to make winlogbeat send using UDP?

student · May 10, 2018, 7:42am

I've resolved it, the firewall wasn't opend for my subnet.

system · June 7, 2018, 9:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.