Winlogbeat no longer logging to Logstash

Craig2188 · January 15, 2021, 2:05pm

Hi,
We had an instance where the disk space caused logging to stop over xmas which has now since been resolved. However, since then, 2 servers which are Server 2019 are no longer logging to Logstash > Elastic.
Winlogbeat 7.9.2 has been used and we also removed this and tested with 7.10.2, but no change.
Log file shows the following:

2021-01-15T13:54:46.632Z	INFO	instance/beat.go:645	Home path: [C:\ProgramData\Elastic\winlogbeat-7.10.2] Config path: [C:\ProgramData\Elastic\winlogbeat-7.10.2] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\ProgramData\winlogbeat\logs]
2021-01-15T13:54:46.647Z	INFO	instance/beat.go:653	Beat ID: 785c5d83-8ac6-493f-95fd-b7a5b7d06d8c
2021-01-15T13:54:46.659Z	INFO	[beat]	instance/beat.go:981	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\ProgramData\\Elastic\\winlogbeat-7.10.2", "data": "C:\\ProgramData\\winlogbeat", "home": "C:\\ProgramData\\Elastic\\winlogbeat-7.10.2", "logs": "C:\\ProgramData\\winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "785c5d83-8ac6-493f-95fd-b7a5b7d06d8c"}}}
2021-01-15T13:54:46.659Z	INFO	[beat]	instance/beat.go:990	Build info	{"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T23:31:06.000Z", "version": "7.10.2"}}}
2021-01-15T13:54:46.659Z	INFO	[beat]	instance/beat.go:993	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":2,"version":"go1.14.12"}}}
2021-01-15T13:54:46.672Z	INFO	[beat]	instance/beat.go:997	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-12-16T07:01:55.5Z","name":"SV-MSE-ADC-001","ip":["fe80::503a:45f8:6945:e832/64","10.103.186.142/24","::1/128","127.0.0.1/8"],"kernel_version":"10.0.17763.1637 (WinBuild.160101.0800)","mac":["00:50:56:bb:d1:c2"],"os":{"family":"windows","platform":"windows","name":"Windows Server 2019 Standard","version":"10.0","major":10,"minor":0,"patch":0,"build":"17763.1637"},"timezone":"GMT","timezone_offset_sec":0,"id":"9957ef94-09de-46e9-bd24-a9cfeca9f068"}}}
2021-01-15T13:54:46.672Z	INFO	[beat]	instance/beat.go:1026	Process info	{"system_info": {"process": {"cwd": "C:\\Windows\\system32", "exe": "C:\\ProgramData\\Elastic\\winlogbeat-7.10.2\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 12192, "ppid": 648, "start_time": "2021-01-15T13:54:45.606Z"}}}
2021-01-15T13:54:46.672Z	INFO	instance/beat.go:299	Setup Beat: winlogbeat; Version: 7.10.2
2021-01-15T13:54:46.675Z	INFO	[publisher]	pipeline/module.go:113	Beat name: SV-MSE-ADC-001
2021-01-15T13:54:46.675Z	INFO	beater/winlogbeat.go:69	State will be read from and persisted to C:\ProgramData\winlogbeat\.winlogbeat.yml
2021-01-15T13:54:46.675Z	INFO	instance/beat.go:455	winlogbeat start running.
2021-01-15T13:54:46.677Z	INFO	[monitoring]	log/log.go:118	Starting metrics logging every 30s
2021-01-15T13:54:49.658Z	INFO	[add_cloud_metadata]	add_cloud_metadata/add_cloud_metadata.go:89	add_cloud_metadata: hosting provider type not detected.
2021-01-15T13:55:16.682Z	INFO	[monitoring]	log/log.go:145	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":109,"time":{"ms":109}},"total":{"ticks":140,"time":{"ms":140},"value":140},"user":{"ticks":31,"time":{"ms":31}}},"handles":{"open":240},"info":{"ephemeral_id":"f480b962-9bae-4a96-b56b-4b3b5592b027","uptime":{"ms":30127}},"memstats":{"gc_next":8729584,"memory_alloc":4423400,"memory_total":10734600,"rss":35463168},"runtime":{"goroutines":18}},"libbeat":{"config":{"module":{"running":0}},"output":{"type":"logstash"},"pipeline":{"clients":1,"events":{"active":0}}},"system":{"cpu":{"cores":2}}}}}
2021-01-15T13:55:46.679Z	INFO	[monitoring]	log/log.go:145	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":109},"total":{"ticks":155,"time":{"ms":15},"value":155},"user":{"ticks":46,"time":{"ms":15}}},"handles":{"open":240},"info":{"ephemeral_id":"f480b962-9bae-4a96-b56b-4b3b5592b027","uptime":{"ms":60127}},"memstats":{"gc_next":8729584,"memory_alloc":4501384,"memory_total":10812584,"rss":53248},"runtime":{"goroutines":18}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}}}}}
2021-01-15T13:56:16.681Z	INFO	[monitoring]	log/log.go:145	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":109},"total":{"ticks":155,"value":155},"user":{"ticks":46}},"handles":{"open":242},"info":{"ephemeral_id":"f480b962-9bae-4a96-b56b-4b3b5592b027","uptime":{"ms":90128}},"memstats":{"gc_next":8729584,"memory_alloc":4584360,"memory_total":10895560,"rss":57344},"runtime":{"goroutines":18}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":0}}}}}}

MarianaD · January 25, 2021, 2:03pm

hi @Craig2188, is Winlogbeat installed on each of those 2 Windows Server machines and sending the data to one Logtash instance? Can you tell us a bit more about the setup?
Also, can you enable debug logging at the Winlogbeat level on any of those machines in order to catch any issues at that level? Have you checked the logs on the Logstash side, anything suspicious there?

Craig2188 · January 27, 2021, 8:50am

Got it working again..... annoyingly! A colleague copied over the YML file which had different event ID's to log to logstash, which made it appear as though nothing was being logged

system · February 24, 2021, 10:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.