Hi,
I wanted to install winloagbeat on an Windows Server to get his informations. I forwarded the logs to lagstash, but after starting the service, the following problems are appearing:
2020-06-24T14:41:32.573+0200 ERROR [logstash] logstash/async.go:280 Failed to publish events caused by: lumberjack protocol error
2020-06-24T14:41:32.634+0200 ERROR [logstash] logstash/async.go:280 Failed to publish events caused by: client is not connected
2020-06-24T14:41:34.575+0200 ERROR [publisher_pipeline_output] pipeline/output.go:181 failed to publish events: client is not connected
I configured the ELK Stack on a CentOS 7, everything works fine, i get already logs from filebeat from Linux Servers.
I also can connect to the ELK Server from my Windows Client
RemotePort : 5044
InterfaceAlias : Ethernet0
TcpTestSucceeded : True
In the winlogbeat.yml i commented out the elastic output and configured the logstash output as follows:
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["XXX.XXX.XXX:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
# ssl.key: "/etc/pki/client/cert.key"
Also the ELK-Server is listening on port 5044
tcp6 0 0 :::5044 :::* LISTEN 2619/java
I also tried the new .msi installer, same problem. Also if i using the FQDN instead of the ip the problems are appearing.
Does anyone have a idea why its not working with winlogbeat?
Thanks!