Winlogbeat indices works but not see in Kibana

lcguy · April 21, 2018, 12:45pm

Hi,
I have ELK stack working well with Logstash. Input is Syslog.
Just trying out winlogbeat in from Windows server to CentOS (ELK) server not works.
Checking indices, I can see all but, unable to view in Kibana.
Need help how to configure correct settings in logstash config.

Here is logstash config.

input {
beats {
port => 5443
type => "log"
}
udp {
port => 5514
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
+++++++++++++++++++++++++++++++++++++++++++++++++++
curl -XGET "http://localhost:9200/_cat/indices?v"
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open logstash-2017.12.30 y9YI3we-STKscYmYqg-XgQ 5 1 0 0 955b 955b
red open logstash-2018.04.01 0igJRyd2Qwi8-woLr5SZ3g 5 1 580 0 2.7mb 2.7mb
red open winlogbeat-6.2.4-2018.04.18 gUqSMxaWQO-0gG9rzp0FOQ 3 1
yellow open winlogbeat-6.2.4-2017.12.22 0rX2D_1sQsKNa1m78KyjPw 3 1 300 0 792.1kb 792.1kb
yellow open .kibana cJgmLTRyTUqvJw6UzvC9Eg 1 1 3 0 52kb 52kb
yellow open logstash-2017.12.31 HVbJaMekSF20Set0LlOa-Q 5 1 0 0 955b 955b
red open %{[@metadata][beat]}-2018.04.21 rc2QizN9SZmPU69UVKn2tg 5 1 0 0 648b 648b
red open logstash-2017.12.23 5E4iR04zSIqKLsaQxF6tQA 5 1 52 0 451.2kb 451.2kb
yellow open logstash-2018.04.18 v2qTfqSKTeeS6-1nxpBW5Q 5 1 49985 0 10mb 10mb
red open winlogbeat-6.2.4-2018.04.20 NwAEDWaPQZiyNpvkQpRfug 3 1
red open winlogbeat-6.2.4-2018.04.19 Ug67pfGKT6GHNYdjBRUDSQ 3 1
yellow open logstash-2018.04.21 LX_DTsLOTU2dDpF_oFfgtQ 5 1 98130 0 39.7mb 39.7mb
yellow open winlogbeat-6.2.4-2018.04.01 ts6px3TiRVSdQoAqumcwJw 3 1 414 0 1.1mb 1.1mb

JKhondhu · April 21, 2018, 5:08pm

Are you able to see any of that _cat/indices data in Kibana?

The winlogbeat-6.2.4-2018.* indices look red, are you able to pin point why?

lcguy · April 22, 2018, 12:51pm

Finally, filebeat, winlogbeat and syslog are working now.
The reason is my server's resource in test VM. After I rebuild new server with high memory it is working now.

But, there is one issue with filebeat. I send sample IIS log from Windows server to Kibana via logstash with SSL cert certificate. It failed to received log. What I can confirmed is capturing packet in CentOS (ELK) server. All packets reset.

Then, I disabled SSL in server as well as in filebeat, it works!!
So, may I know what is the correct configuration of the filebeat configuration with SSL cert?

Here is mine.

filebeat.prospectors:

type: log
enabled: true
paths:
- C:\inetpub\logs\LogFiles**
  fields:
  type: iis
  fields_under_root: true
  encoding: utf-8
  exclude_lines: ["^#"]
  exclude_files: [".zip"]
  ignore_older: 2h
  output.logstash:
  hosts: ["192.168.1.50:5443"]
  tls:
  certificate_authorities: ["E:/filebeat-6.2.4-windows-x86_64/logstash-forwarder.crt"]

JKhondhu · April 23, 2018, 8:18am

Hi,

Following such steps here: https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html

Let me know how far you get and what errors you see.

lcguy · April 23, 2018, 11:06pm

I have gone through this document. All works well except from line start with tls:

The link havent mention how to set correct path for crt file in Windows.

Thats why I am confused. Some document mentioned that it shoud start with ssl: instead of tls:

Please share with me anyone has working config file for Windows using filebeat with tls.

JKhondhu · April 24, 2018, 8:08am

Which documentation did you follow to get the config you have right now? With the filebeat.prospectors paths tls?

lcguy · April 24, 2018, 8:10am

Yes, I tried with tls and ssl too. Both failed.
Disabling tls or ssl works straight away.

If enable ssl or tls, server is rejecting with TCP RST packet.

Thanks.

JKhondhu · April 24, 2018, 8:27am

...?

lcguy · April 24, 2018, 8:32am

This is the one.
https://www.elastic.co/downloads/beats/filebeat

I have one CentOS and this server can send filebeat log from /var/log/ using tls with crt file.
Only from Windows server is having issue with IIS log from C:\Inetpub\www\logs folder.

system · May 22, 2018, 10:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana - Syslog and Winlogbeat are not visible Beats	1	481	July 29, 2020
Winlogbeat not working Beats winlogbeat	5	657	September 23, 2019
Solved: Logstash Is Receiving Data From Winlogbeat But Isn't Showing In Kibana Logstash	1	527	July 21, 2021
Collecting from multiple sources Logstash	8	2894	February 17, 2017
Not able to see filebeat-* index pattern in kibana Kibana	9	1251	May 17, 2018

Winlogbeat indices works but not see in Kibana

Hi, I have ELK stack working well with Logstash. Input is Syslog. Just trying out winlogbeat in from Windows server to CentOS (ELK) server not works. Checking indices, I can see all but, unable to view in Kibana. Need help how to configure correct settings in logstash config.

Related topics

Hi,
I have ELK stack working well with Logstash. Input is Syslog.
Just trying out winlogbeat in from Windows server to CentOS (ELK) server not works.
Checking indices, I can see all but, unable to view in Kibana.
Need help how to configure correct settings in logstash config.