My Logstash is running on port 5044, however when i started my Winlogbeat service on my windows server, which it show running, checking my Kibana i couldn't find the indices to index
Here is my Logstash result
[root@ojelk03 conf.d]# systemctl status logstash
ā logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-06-16 12:01:43 WAT; 3h 59min ago
Main PID: 24516 (java)
CGroup: /system.slice/logstash.service
āā24516 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Dj...Jun 16 12:02:22 ojelk0x logstash[24516]: [2020-06-16T12:02:22,863][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSear...8.202:9200"]}
Jun 16 12:02:23 ojelk0x logstash[24516]: [2020-06-16T12:02:22,998][INFO ][logstash.outputs.elasticsearch][main] Using default mapping template
Jun 16 12:02:23 ojelk0x logstash[24516]: [2020-06-16T12:02:23,066][WARN ][org.logstash.instrument.metrics.gauge.LazyDelegatingGauge][main] A gauge metric of an unknown type (org.jruby.specia...
Jun 16 12:02:23 ojelk0x logstash[24516]: [2020-06-16T12:02:23,087][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.siz...
Jun 16 12:02:23 ojelk0x logstash[24516]: [2020-06-16T12:02:23,116][INFO ][logstash.outputs.elasticsearch][main] Attempting to install template {:manage_template=>{"index_pattern...ssage_field"=
Jun 16 12:02:24 ojelk0x logstash[24516]: [2020-06-16T12:02:24,688][INFO ][logstash.inputs.beats ][main] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
Jun 16 12:02:24 ojelk0x logstash[24516]: [2020-06-16T12:02:24,714][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
Jun 16 12:02:24 ojelk0x logstash[24516]: [2020-06-16T12:02:24,889][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}
Jun 16 12:02:24 ojelk0x logstash[24516]: [2020-06-16T12:02:24,968][INFO ][org.logstash.beats.Server][main] Starting server on port: 5044
Jun 16 12:02:25 ojelk0x logstash[24516]: [2020-06-16T12:02:25,454][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
Hint: Some lines were ellipsized, use -l to show in full.
My logstash pipeline
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["http://10.1.x.x:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "elastic"
password => "xxxxxxxxxx"
}
}
~
Winlogbeat Yml file
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["10.1.x.x:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
So I did nestat to check if the port is listening on port 5044 on my windows server 2012
TCP 10.1.X.X:60477 10.1.x.x:5044 SYN_SENT
Syn sent but didn't establish
Now I changed the output to elasticsearch and I was able to index, also check if connection is established
TCP 10.1.X.X:57066 10.1.x.x:9200 ESTABLISHED
I had to open port 5044 on the firewall for both incoming and outbound rules
I need help here pls.