Winlogbeat is not shipping Data to Elasticsearch after enabling xpack Security


so we've started to renew our Cluster for various reasons:

3 Node Cluster (CentOS 7)
Kibana 7.15
Elasticsearch 7.15
Logstash 7.15
Filebeat 7.15
Winlogbeat 7.15

After we setup xpack Security within Elasticsearch - we proceeded to get our Log-Sources connected. It worked just fine for the firewalls - using the modules of Filebeat. No Problem with the delivery whatsoever.

When we tried to connect our Windows Clients to Elasticsearch - we fail.
The Config Test says it's ok - but the output test runs into a timeout.

C:\Program Files\Winlogbeat>winlogbeat test output
Elasticsearch: https://X.X.X.X:9200...
parse url... OK
parse host... OK
dns lookup... OK
dial up... ERROR dial tcp connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Here's the .yml Configuration on both sides:


  enabled: true   
  hosts: ["X.X.X.X:9200", "Y.Y.Y.Y:9200", "Z.Z.Z.Z:9200"]
  username: "winlogbeat"
  password: "YjkS1EvKdPaZvYUC"
  ssl.certificate_authorities: "C:\Program Files\winlogbeat\certs\ca.newkey"
  #ssl.certificate: "C:\Program Files\winlogbeat\certs\cert.newkey"
  #ssl.key: "C:\Program Files\winlogbeat\certs\key.newkey
  protocol: "https"

we've tried it both with ssl.certifacte & key enable and disabled.

Elasticsearch: true true certificate certs/key.newkey certs/cert.newkey ["/etc/elasticsearch/certs/ca.newkey"]

We've tried both with certificate verificate set to none and certificate.

I parsed the logs of Elasticsearch - but cannot find any errors belonging to the Windows Server on which we're testing on.

Firewall Rules are in place.
I am sure that i'm just in a kind of tunnel vision and i'm missing out on a crucial simple part - but i fail to see it - maybe someone can help?

Thanks in advance!

Soo i just cleared my head - and now i see that my configuration has nothing to do with the delivery of Data - since we've only encrypted the Internode Communication -

But now the whole Winlogbeat thing makes even less sense to me -
there's no encryption on Port 9200 - but even if i disable all the ssl. features in the winlogbeat.yml config file - i cannot access my cluster as i run into a timeout.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.