Winlogbeat not able to send data to elastic (401 Unauthorized)


(Alvaro Cabrera) #1
\winlogbeat> .\winlogbeat.exe -c '.\winlogbeat.yml' -e -v
11/17 19:45:16.781950 beat.go:264: INFO Home path: [C:\winlogbeat] Config path: [C:\winlogbeat] Data path: [C:\winlogbeat\data] Logs path: [C:\winlogbeat\logs]
11/17 19:45:16.781950 logp.go:219: INFO Metrics logging every 30s
11/17 19:45:16.781950 beat.go:174: INFO Setup Beat: winlogbeat; Version: 5.0.0
11/17 19:45:16.783952 output.go:167: INFO Loading template enabled. Reading template file: C:\winlogbeat\winlogbeat.template.json
11/17 19:45:16.784953 output.go:178: INFO Loading template enabled for Elasticsearch 2.x. Reading template file: C:\winlogbeat\winlogbeat.template-es2x.json
11/17 19:45:16.785953 client.go:107: INFO Elasticsearch url: http://host01:9200
11/17 19:45:16.785953 client.go:107: INFO Elasticsearch url: http://host01:9200
11/17 19:45:16.786954 client.go:107: INFO Elasticsearch url: http://host02:9200
11/17 19:45:16.786954 client.go:107: INFO Elasticsearch url: http://host02:9200
11/17 19:45:16.787955 client.go:107: INFO Elasticsearch url: http://host03:9200
11/17 19:45:16.787955 client.go:107: INFO Elasticsearch url: http://host03:9200
11/17 19:45:16.788956 outputs.go:106: INFO Activated elasticsearch as output plugin.
11/17 19:45:16.789957 publish.go:291: INFO Publisher name: active directory
11/17 19:45:16.792960 async.go:63: INFO Flush Interval set to: 1s
11/17 19:45:16.793961 async.go:64: INFO Max Bulk Size set to: 50
11/17 19:45:16.793961 winlogbeat.go:71: INFO State will be read from and persisted to C:/ProgramData/winlogbeat/.winlogbeat.yml
11/17 19:45:16.794962 sync_worker.go:87: ERR Connect failed with: 401 Unauthorized
11/17 19:45:16.794962 sync_worker.go:87: ERR Connect failed with: 401 Unauthorized
11/17 19:45:16.794962 sync_worker.go:87: ERR Connect failed with: 401 Unauthorized
11/17 19:45:16.795963 beat.go:204: INFO winlogbeat start running.

11/17 19:45:31.805185 sync_worker.go:87: ERR Connect failed with: 401 Unauthorized
11/17 19:45:31.806187 sync_worker.go:87: ERR Connect failed with: 401 Unauthorized
11/17 19:45:33.922560 winlogbeat.go:168: INFO Stopping Winlogbeat
11/17 19:45:33.922560 winlogbeat.go:189: INFO EventLog[Security] Stop processing.
11/17 19:45:33.922560 winlogbeat.go:189: INFO EventLog[System] Stop processing.
11/17 19:45:33.922560 winlogbeat.go:189: INFO EventLog[DNS Server] Stop processing.
11/17 19:45:34.806469 winlogbeat.go:189: INFO EventLog[Application] Stop processing.
11/17 19:45:34.806469 winlogbeat.go:189: INFO EventLog[Directory Service] Stop processing.
11/17 19:45:34.806469 winlogbeat.go:189: INFO EventLog[DFS Replication] Stop processing.
11/17 19:45:34.806469 winlogbeat.go:189: INFO EventLog[Key Management Service] Stop processing.
11/17 19:45:34.806469 winlogbeat.go:189: INFO EventLog[File Replication Service] Stop processing.
11/17 19:45:34.809472 logp.go:245: INFO Total non-zero values:  msg_file_cache.DNS ServerMisses=1 msg_file_cache.SystemHits=7 msg_file_cache.SecurityMisses=1 msg_file_cache.SystemSize=1 msg_file_
.SecuritySize=1 libbeat.publisher.published_events=109 msg_file_cache.SecurityHits=99 libbeat.es.publish.write_bytes=3213 msg_file_cache.DNS ServerSize=1 libbeat.es.publish.read_bytes=10611 msg_f
ache.SystemMisses=1
11/17 19:45:34.810473 logp.go:246: INFO Uptime: 18.0335284s

 elasticsearch:
    # Array of hosts to connect to.
    # Scheme and port can be left out and will be set to the default (http and 9200)
    # In case you specify and additional path, the scheme is required: http://localhost:9200/path
    # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
    hosts: ["host01:9200", "host02:9200", "host03:9200"]

    # Optional protocol and basic auth credentials.
    # protocol: "http"
    username: "elastic"
    password: "changeme"

    # Number of workers per Elasticsearch host.
    #worker: 2

    # Optional index name. The default is "winlogbeat" and generates
    # [winlogbeat-]YYYY.MM.DD keys.
    index: "winlogbeat"

(Andrew Kroh) #2

Your elasticsearch servers are responding with 401. Please check that you have the correct username and password specified in the config file.


(Alvaro Cabrera) #3

i did, that is the default user for x-pack


(Andrew Kroh) #4

Are you able to curl using those credentials (like curl -u elastic:changeme http://host01:9200/_xpack?pretty)? Is there anything relevant in the ES log file? Could someone have changed the password? Can you reset that user's password? Or add a new user?


(Alvaro Cabrera) #5

yes to all, elastic user and newly created user.


(Andrew Kroh) #6

So does the Beat connect now?

If not, have you tried hitting that URL from the Windows host that Winlogbeat is running on (like browse to http://host01:9200/_xpack and enter the basic auth credentials). Lastly can you double check the indentation in your config file (or try what I have given below).

output.elasticsearch:
  hosts: ["host01:9200", "host02:9200", "host03:9200"]
  username: elastic
  password: changeme

(Alvaro Cabrera) #7

i can hit it via url, i get the json response. however winlogbeat does not want to work.

{"build":{"hash":"7763f8e","date":"2016-10-26T04:51:59.202Z"},"license":{"uid":"314bd543-4892-46bb-a2a5-e7d9b88e45f4","type":"trial","mode":"trial","status":"active","expiry_date_in_millis":1482000556640},"features":{"graph":{"description":"Graph Data Exploration for the Elastic Stack","available":true,"enabled":true},"monitoring":{"description":"Monitoring for the Elastic Stack","available":true,"enabled":true},"security":{"description":"Security for the Elastic Stack","available":true,"enabled":true},"watcher":{"description":"Alerting, Notification and Automation for the Elastic Stack","available":true,"enabled":true}},"tagline":"You know, for X"}


(Alvaro Cabrera) #8

ok its woriking thanks for the help. it was the indentation of the YML file


(system) #9

This topic was automatically closed after 21 days. New replies are no longer allowed.