Winlogbeat not able to send data to elastic (401 Unauthorized)

\winlogbeat> .\winlogbeat.exe -c '.\winlogbeat.yml' -e -v
11/17 19:45:16.781950 beat.go:264: INFO Home path: [C:\winlogbeat] Config path: [C:\winlogbeat] Data path: [C:\winlogbeat\data] Logs path: [C:\winlogbeat\logs]
11/17 19:45:16.781950 logp.go:219: INFO Metrics logging every 30s
11/17 19:45:16.781950 beat.go:174: INFO Setup Beat: winlogbeat; Version: 5.0.0
11/17 19:45:16.783952 output.go:167: INFO Loading template enabled. Reading template file: C:\winlogbeat\winlogbeat.template.json
11/17 19:45:16.784953 output.go:178: INFO Loading template enabled for Elasticsearch 2.x. Reading template file: C:\winlogbeat\winlogbeat.template-es2x.json
11/17 19:45:16.785953 client.go:107: INFO Elasticsearch url: http://host01:9200
11/17 19:45:16.785953 client.go:107: INFO Elasticsearch url: http://host01:9200
11/17 19:45:16.786954 client.go:107: INFO Elasticsearch url: http://host02:9200
11/17 19:45:16.786954 client.go:107: INFO Elasticsearch url: http://host02:9200
11/17 19:45:16.787955 client.go:107: INFO Elasticsearch url: http://host03:9200
11/17 19:45:16.787955 client.go:107: INFO Elasticsearch url: http://host03:9200
11/17 19:45:16.788956 outputs.go:106: INFO Activated elasticsearch as output plugin.
11/17 19:45:16.789957 publish.go:291: INFO Publisher name: active directory
11/17 19:45:16.792960 async.go:63: INFO Flush Interval set to: 1s
11/17 19:45:16.793961 async.go:64: INFO Max Bulk Size set to: 50
11/17 19:45:16.793961 winlogbeat.go:71: INFO State will be read from and persisted to C:/ProgramData/winlogbeat/.winlogbeat.yml
11/17 19:45:16.794962 sync_worker.go:87: ERR Connect failed with: 401 Unauthorized
11/17 19:45:16.794962 sync_worker.go:87: ERR Connect failed with: 401 Unauthorized
11/17 19:45:16.794962 sync_worker.go:87: ERR Connect failed with: 401 Unauthorized
11/17 19:45:16.795963 beat.go:204: INFO winlogbeat start running.

11/17 19:45:31.805185 sync_worker.go:87: ERR Connect failed with: 401 Unauthorized
11/17 19:45:31.806187 sync_worker.go:87: ERR Connect failed with: 401 Unauthorized
11/17 19:45:33.922560 winlogbeat.go:168: INFO Stopping Winlogbeat
11/17 19:45:33.922560 winlogbeat.go:189: INFO EventLog[Security] Stop processing.
11/17 19:45:33.922560 winlogbeat.go:189: INFO EventLog[System] Stop processing.
11/17 19:45:33.922560 winlogbeat.go:189: INFO EventLog[DNS Server] Stop processing.
11/17 19:45:34.806469 winlogbeat.go:189: INFO EventLog[Application] Stop processing.
11/17 19:45:34.806469 winlogbeat.go:189: INFO EventLog[Directory Service] Stop processing.
11/17 19:45:34.806469 winlogbeat.go:189: INFO EventLog[DFS Replication] Stop processing.
11/17 19:45:34.806469 winlogbeat.go:189: INFO EventLog[Key Management Service] Stop processing.
11/17 19:45:34.806469 winlogbeat.go:189: INFO EventLog[File Replication Service] Stop processing.
11/17 19:45:34.809472 logp.go:245: INFO Total non-zero values:  msg_file_cache.DNS ServerMisses=1 msg_file_cache.SystemHits=7 msg_file_cache.SecurityMisses=1 msg_file_cache.SystemSize=1 msg_file_
.SecuritySize=1 libbeat.publisher.published_events=109 msg_file_cache.SecurityHits=99 libbeat.es.publish.write_bytes=3213 msg_file_cache.DNS ServerSize=1 libbeat.es.publish.read_bytes=10611 msg_f
ache.SystemMisses=1
11/17 19:45:34.810473 logp.go:246: INFO Uptime: 18.0335284s

 elasticsearch:
    # Array of hosts to connect to.
    # Scheme and port can be left out and will be set to the default (http and 9200)
    # In case you specify and additional path, the scheme is required: http://localhost:9200/path
    # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
    hosts: ["host01:9200", "host02:9200", "host03:9200"]

    # Optional protocol and basic auth credentials.
    # protocol: "http"
    username: "elastic"
    password: "changeme"

    # Number of workers per Elasticsearch host.
    #worker: 2

    # Optional index name. The default is "winlogbeat" and generates
    # [winlogbeat-]YYYY.MM.DD keys.
    index: "winlogbeat"

Your elasticsearch servers are responding with 401. Please check that you have the correct username and password specified in the config file.

i did, that is the default user for x-pack

Are you able to curl using those credentials (like curl -u elastic:changeme http://host01:9200/_xpack?pretty)? Is there anything relevant in the ES log file? Could someone have changed the password? Can you reset that user's password? Or add a new user?

yes to all, elastic user and newly created user.

So does the Beat connect now?

If not, have you tried hitting that URL from the Windows host that Winlogbeat is running on (like browse to http://host01:9200/_xpack and enter the basic auth credentials). Lastly can you double check the indentation in your config file (or try what I have given below).

output.elasticsearch:
  hosts: ["host01:9200", "host02:9200", "host03:9200"]
  username: elastic
  password: changeme

i can hit it via url, i get the json response. however winlogbeat does not want to work.

{"build":{"hash":"7763f8e","date":"2016-10-26T04:51:59.202Z"},"license":{"uid":"314bd543-4892-46bb-a2a5-e7d9b88e45f4","type":"trial","mode":"trial","status":"active","expiry_date_in_millis":1482000556640},"features":{"graph":{"description":"Graph Data Exploration for the Elastic Stack","available":true,"enabled":true},"monitoring":{"description":"Monitoring for the Elastic Stack","available":true,"enabled":true},"security":{"description":"Security for the Elastic Stack","available":true,"enabled":true},"watcher":{"description":"Alerting, Notification and Automation for the Elastic Stack","available":true,"enabled":true}},"tagline":"You know, for X"}

ok its woriking thanks for the help. it was the indentation of the YML file

This topic was automatically closed after 21 days. New replies are no longer allowed.