Winlogbeat not sending logs via logstash on port 5044

My Logstash is running on port 5044, however when i started my Winlogbeat service on my windows server, which it show running, checking my Kibana i couldn't find the indices to index

Here is my Logstash result

[root@ojelk03 conf.d]# systemctl status logstash
● logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-06-16 12:01:43 WAT; 3h 59min ago
Main PID: 24516 (java)
CGroup: /system.slice/logstash.service
└─24516 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Dj...

Jun 16 12:02:22 ojelk0x logstash[24516]: [2020-06-16T12:02:22,863][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSear...8.202:9200"]}
Jun 16 12:02:23 ojelk0x logstash[24516]: [2020-06-16T12:02:22,998][INFO ][logstash.outputs.elasticsearch][main] Using default mapping template
Jun 16 12:02:23 ojelk0x logstash[24516]: [2020-06-16T12:02:23,066][WARN ][org.logstash.instrument.metrics.gauge.LazyDelegatingGauge][main] A gauge metric of an unknown type (org.jruby.specia...
Jun 16 12:02:23 ojelk0x logstash[24516]: [2020-06-16T12:02:23,087][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.siz...
Jun 16 12:02:23 ojelk0x logstash[24516]: [2020-06-16T12:02:23,116][INFO ][logstash.outputs.elasticsearch][main] Attempting to install template {:manage_template=>{"index_pattern...ssage_field"=
Jun 16 12:02:24 ojelk0x logstash[24516]: [2020-06-16T12:02:24,688][INFO ][logstash.inputs.beats ][main] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
Jun 16 12:02:24 ojelk0x logstash[24516]: [2020-06-16T12:02:24,714][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
Jun 16 12:02:24 ojelk0x logstash[24516]: [2020-06-16T12:02:24,889][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}
Jun 16 12:02:24 ojelk0x logstash[24516]: [2020-06-16T12:02:24,968][INFO ][org.logstash.beats.Server][main] Starting server on port: 5044
Jun 16 12:02:25 ojelk0x logstash[24516]: [2020-06-16T12:02:25,454][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
Hint: Some lines were ellipsized, use -l to show in full.

My logstash pipeline
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["http://10.1.x.x:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "xxxxxxxxxx"
  }
}

~

Winlogbeat Yml file

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["10.1.x.x:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

So I did nestat to check if the port is listening on port 5044 on my windows server 2012
TCP 10.1.X.X:60477 10.1.x.x:5044 SYN_SENT
Syn sent but didn't establish

Now I changed the output to elasticsearch and I was able to index, also check if connection is established
TCP 10.1.X.X:57066 10.1.x.x:9200 ESTABLISHED

I had to open port 5044 on the firewall for both incoming and outbound rules

I need help here pls.

1 Like

hi @proxx, can you enable debug logging in winlogbeat and check if any events are send in the logs or for any errors?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.