Winlogbeat issues shipping to Logstash

thekrazy · May 20, 2016, 12:50pm

I'm having trouble shipping logs from my client server to my ELK stack server. My client server winlogbeat.yml is:

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml

  event_logs:
    - name: Application
    - name: Security
    - name: System

output:
  logstash:
    hosts: ["10.0.16.111:5044"]

    template:
     path: "winlogbeat.template.json"

    tls:
    certificate_authorities: ["C:/Program Files/Winlogbeat/logstash-forwarder.crt"]


logging:
  to_files: true
  files:
    path: C:/ProgramData/winlogbeat/Logs
  level: info

The logs are reporting:

2016-05-20T08:24:46-04:00 INFO GeoIP disabled: No paths were set under output.geoip.paths
2016-05-20T08:24:48-04:00 INFO Max Retries set to: 3
2016-05-20T08:24:48-04:00 INFO Activated logstash as output plugin.
2016-05-20T08:24:48-04:00 INFO Publisher name: ClientServer
2016-05-20T08:24:48-04:00 INFO Flush Interval set to: 1s
2016-05-20T08:24:48-04:00 INFO Max Bulk Size set to: 2048
2016-05-20T08:24:48-04:00 INFO Init Beat: winlogbeat; Version: 1.2.3
2016-05-20T08:24:48-04:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat.winlogbeat.yml
2016-05-20T08:24:48-04:00 INFO winlogbeat sucessfully setup. Start running.
2016-05-20T08:26:19-04:00 INFO Error publishing events (retrying): read tcp ClientServerIP:62588->ELKStackIP:5044: i/o timeout
2016-05-20T08:26:19-04:00 INFO send fail
2016-05-20T08:26:19-04:00 INFO backoff retry: 1s

Does anyone have any suggestions or insight as far as what I'm doing wrong?

andrewkroh · May 20, 2016, 2:10pm

It looks like you may have some config issues.

template is not a valid configuration option for the logstash output. It's only for the elasticsearch output in version 5.x. You must manually install the index template to Elasticsearch.
The indentation for the certificate_authorities looks off. It should be two spaces to the right to make it a "child" of tls. (tls is a YAML dictionary and certificate_authorities should be contained in the tls dictionary)

If you are still having problems after correcting the TLS settings, try adding insecure: true as an option under tls. If it works, then this will give you an indication that you have some certificate issues. See the documentation section Securing Communication With Logstash by Using TLS.

thekrazy · May 20, 2016, 5:23pm

I tried your suggestions, but unfortunately I was then receiving errors about connection timing out. So to make sure that it was indeed the TLS being the culprit, I commented out the TLS portion of my yml file:

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml

  event_logs:
    - name: Application
    - name: Security
    - name: System

output:
  logstash:
    hosts: ["10.0.16.111:5044"]

//    template:
//     path: "winlogbeat.template.json"

//  tls:
//    insecure: true
//    certificate_authorities: ["C:/Program Files/Winlogbeat/logstash-forwarder.crt"]


logging:
  to_files: true
  files:
    path: C:/ProgramData/winlogbeat/Logs
  level: info

And I also commented out the TLS portion of the beats plugin:

input {
      beats {
//        host => "10.0.16.111"
        port => 5044
//        type => "logs"
//        ssl => true
//        ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
//        ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
      }
    }

Does anything jump out at you with my TLS settings that would cause such trouble?

andrewkroh · May 20, 2016, 5:54pm

It's good that you removed TLS; it's best to start simple and then add complexity.

Sounds like a connectivity issue between the hosts.

Make sure Logstash is up and running. Use netstat to check that it's actually listening on the interface and port you are trying to connect to.
Check that you can ping the Logstash host from the Windows host.: ping 10.0.16.111
Check if you can telnet to the Logstash port from the Windows host: telnet.exe 10.0.16.111 5044

thekrazy · May 20, 2016, 6:17pm

I can ping the address from my windows machine and but I do not see the ES server listening on 5044, nor can I telnet into that port; I get a connection refused by host error.

andrewkroh · May 20, 2016, 6:24pm

Are you looking at the Elasticsearch server or your Logstash server? Based on the configuration files provided you should be looking at the Logstash server whose IP address is 10.0.16.111.

On the Logstash server, if netstat is not showing anything bound to 5044, then is the Logstash process running?

thekrazy · May 20, 2016, 6:28pm

Elasticsearch and Logstash are running on the same server and both services are running, along with nginx and kibana.

andrewkroh · May 20, 2016, 6:52pm

If Logstash is up, then can you post somewhere the full config that it is using.

Also can you cross-reference the logstash PID against the output from netstat -anp, like sudo netstat -anp | grep <logstash pid> to get an idea of what it is doing since it is running.

magnusbaeck · May 22, 2016, 1:48pm

Note that # is used to start comments in both YAML and Logstash configuration files. I'm surprised that none of the programs complained about your use of //.

system · June 12, 2016, 1:48pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.