I've read several posts here regarding getting Winlogbeat to send logs to an ELK server. However, these haven't helped me get it working. As I usually do, I probably am missing something simple.
I already have Filebeat, Topbeat, and Packetbeat working, so I'm fairly certain that my ELK configs are correct; I can post these if it would help with a solution. My winlogbeat.yml file looks like this:
winlogbeat:
registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
event_logs:
- name: Application
- name: Security
- name: System
output:
logstash:
hosts: ["10.0.101.101:5044"]
template:
# Template name. By default the template name is winlogbeat.
#name: "winlogbeat"
# Path to template file
#path: "winlogbeat.template.json"
# Overwrite existing template
#overwrite: false
tls:
certificate_authorities: ["C:/Program Files/Winlogbeat/logstash-forwarder.crt"]
logging:
to_files: true
files:
path: C:/ProgramData/winlogbeat/Logs
level: info
I read in googled post that someone had copied winlogbeat.template.json to the ELK server, and initialized it with "curl -XPOST 'http://10.0.101.101:9200/_template/winlogbeat?pretty' -d @/home/me/winlogbeat.template.json", and that that made his setup work. I tried that, but no joy.
It looks like you are using Logstash and those template options you set under the logstash output and not supported. Those are for the elasticsearch output only. You must manually install the index template to your Elasticsearch server (instructions are included in the Getting Started guide).
I did follow the directions in the Getting Started Guide, with the exception of loading the template (I think). Forgive me, but I'm not seeing how to manually install the index template to my Elasticsearch server in the Guide.
How about the parts of the config that are not relevant? I suspect there might be some invalid conditionals in your filters. The type => "log"does nothing in this context because type is already set by Winlogbeat. The type on those events will be either eventlogging or wineventlog depending on the Windows operating system.
Not sure where I might need to make the change. I've posted my configs here: http://pastebin.com/Q2pn0B67. If it's not too big a pita for you to take a look, that would be greatly appreciated. I'm sure your eyes will roll when you see them .
Based on the tags in the event and the configuration you posted to pastebin, I'd say you are sending the Winlogbeat data to the Logstash tcp input and not the beats input. Please double check that the port number you are using in your Winlogbeat config is the port number assigned to the Logstash beats input.
Yes, you're right, a mis-config. I have specified port 5044 in winlogbeat.yml, which is the beats port specified in the Logstash beats input. Now, I'm not receiving any logs again. Huh?
This morning, I installed Topbeat on a Win2k8 server, with the same results - I get no output in ELK (using the Logstash output). As the Windows platform makes up 40% of our infrastructure, I'd really like to get this working, so your help would be greatly appreciated.
the Topbeat service errors, and won't start. However, if I comment out "certificate_authorities", and instead set "insecure: true", then the service starts, and I get output in ELK. Does TLS have to be set up differently to work with Windows, or is it not supported?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.