Winlogbeat indices works but not see in Kibana

I have ELK stack working well with Logstash. Input is Syslog.
Just trying out winlogbeat in from Windows server to CentOS (ELK) server not works.
Checking indices, I can see all but, unable to view in Kibana.
Need help how to configure correct settings in logstash config.

Here is logstash config.

input {
beats {
port => 5443
type => "log"
udp {
port => 5514
type => syslog

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]

output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
curl -XGET "http://localhost:9200/_cat/indices?v"
health status index uuid pri rep docs.count docs.deleted store.size
yellow open logstash-2017.12.30 y9YI3we-STKscYmYqg-XgQ 5 1 0 0 955b 955b
red open logstash-2018.04.01 0igJRyd2Qwi8-woLr5SZ3g 5 1 580 0 2.7mb 2.7mb
red open winlogbeat-6.2.4-2018.04.18 gUqSMxaWQO-0gG9rzp0FOQ 3 1
yellow open winlogbeat-6.2.4-2017.12.22 0rX2D_1sQsKNa1m78KyjPw 3 1 300 0 792.1kb 792.1kb
yellow open .kibana cJgmLTRyTUqvJw6UzvC9Eg 1 1 3 0 52kb 52kb
yellow open logstash-2017.12.31 HVbJaMekSF20Set0LlOa-Q 5 1 0 0 955b 955b
red open %{[@metadata][beat]}-2018.04.21 rc2QizN9SZmPU69UVKn2tg 5 1 0 0 648b 648b
red open logstash-2017.12.23 5E4iR04zSIqKLsaQxF6tQA 5 1 52 0 451.2kb 451.2kb
yellow open logstash-2018.04.18 v2qTfqSKTeeS6-1nxpBW5Q 5 1 49985 0 10mb 10mb
red open winlogbeat-6.2.4-2018.04.20 NwAEDWaPQZiyNpvkQpRfug 3 1
red open winlogbeat-6.2.4-2018.04.19 Ug67pfGKT6GHNYdjBRUDSQ 3 1
yellow open logstash-2018.04.21 LX_DTsLOTU2dDpF_oFfgtQ 5 1 98130 0 39.7mb 39.7mb
yellow open winlogbeat-6.2.4-2018.04.01 ts6px3TiRVSdQoAqumcwJw 3 1 414 0 1.1mb 1.1mb

Are you able to see any of that _cat/indices data in Kibana?

The winlogbeat-6.2.4-2018.* indices look red, are you able to pin point why?

Finally, filebeat, winlogbeat and syslog are working now.
The reason is my server's resource in test VM. After I rebuild new server with high memory it is working now.

But, there is one issue with filebeat. I send sample IIS log from Windows server to Kibana via logstash with SSL cert certificate. It failed to received log. What I can confirmed is capturing packet in CentOS (ELK) server. All packets reset.

Then, I disabled SSL in server as well as in filebeat, it works!!
So, may I know what is the correct configuration of the filebeat configuration with SSL cert?

Here is mine.


  • type: log
    enabled: true
    • C:\inetpub\logs\LogFiles**
      type: iis
      fields_under_root: true
      encoding: utf-8
      exclude_lines: ["^#"]
      exclude_files: [".zip"]
      ignore_older: 2h
      hosts: [""]
      certificate_authorities: ["E:/filebeat-6.2.4-windows-x86_64/logstash-forwarder.crt"]


Following such steps here:

Let me know how far you get and what errors you see.

I have gone through this document. All works well except from line start with tls:

The link havent mention how to set correct path for crt file in Windows.

Thats why I am confused. Some document mentioned that it shoud start with ssl: instead of tls:

Please share with me anyone has working config file for Windows using filebeat with tls.

Which documentation did you follow to get the config you have right now? With the filebeat.prospectors paths tls?

Yes, I tried with tls and ssl too. Both failed.
Disabling tls or ssl works straight away.

If enable ssl or tls, server is rejecting with TCP RST packet.



This is the one.

I have one CentOS and this server can send filebeat log from /var/log/ using tls with crt file.
Only from Windows server is having issue with IIS log from C:\Inetpub\www\logs folder.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.