2016-05-20T08:24:46-04:00 INFO GeoIP disabled: No paths were set under output.geoip.paths
2016-05-20T08:24:48-04:00 INFO Max Retries set to: 3
2016-05-20T08:24:48-04:00 INFO Activated logstash as output plugin.
2016-05-20T08:24:48-04:00 INFO Publisher name: ClientServer
2016-05-20T08:24:48-04:00 INFO Flush Interval set to: 1s
2016-05-20T08:24:48-04:00 INFO Max Bulk Size set to: 2048
2016-05-20T08:24:48-04:00 INFO Init Beat: winlogbeat; Version: 1.2.3
2016-05-20T08:24:48-04:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat.winlogbeat.yml
2016-05-20T08:24:48-04:00 INFO winlogbeat sucessfully setup. Start running.
2016-05-20T08:26:19-04:00 INFO Error publishing events (retrying): read tcp ClientServerIP:62588->ELKStackIP:5044: i/o timeout
2016-05-20T08:26:19-04:00 INFO send fail
2016-05-20T08:26:19-04:00 INFO backoff retry: 1s
Does anyone have any suggestions or insight as far as what I'm doing wrong?
template is not a valid configuration option for the logstash output. It's only for the elasticsearch output in version 5.x. You must manually install the index template to Elasticsearch.
The indentation for the certificate_authorities looks off. It should be two spaces to the right to make it a "child" of tls. (tls is a YAML dictionary and certificate_authorities should be contained in the tls dictionary)
If you are still having problems after correcting the TLS settings, try adding insecure: true as an option under tls. If it works, then this will give you an indication that you have some certificate issues. See the documentation section Securing Communication With Logstash by Using TLS.
I tried your suggestions, but unfortunately I was then receiving errors about connection timing out. So to make sure that it was indeed the TLS being the culprit, I commented out the TLS portion of my yml file:
I can ping the address from my windows machine and but I do not see the ES server listening on 5044, nor can I telnet into that port; I get a connection refused by host error.
Are you looking at the Elasticsearch server or your Logstash server? Based on the configuration files provided you should be looking at the Logstash server whose IP address is 10.0.16.111.
On the Logstash server, if netstat is not showing anything bound to 5044, then is the Logstash process running?
If Logstash is up, then can you post somewhere the full config that it is using.
Also can you cross-reference the logstash PID against the output from netstat -anp, like sudo netstat -anp | grep <logstash pid> to get an idea of what it is doing since it is running.
Note that # is used to start comments in both YAML and Logstash configuration files. I'm surprised that none of the programs complained about your use of //.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.