Winlogbeat output to Logstash connection is ERROR


(willanm) #1

Hello.

When I sent the Event Log to Logstash 6.4 using winlogbeat 6.4, it was found that the connection was wrong.

However, it is normal to send Log to Logstash using filebeats on the same computer.

The Logstash configuration is as follows:

input {
  beats{
	port => "5044"
	type => "beats"
  }
}

output {
if [type] == "beats"{
	stdout { 
			codec => rubydebug
	}	
}
}

The configuration of Winlogbeat is as follows:

winlogbeat.event_logs:
 - name: Application
 - name: Security
 - name: System

#----------------------------- Logstash output --------------------------------
output.logstash:
 # The Logstash hosts
 hosts: ["10.109.14.11:5044"]

When I used the test output of winlogbeat, the results were as follows:

C:\winlogbeat-6.4.2>winlogbeat.exe test output
logstash: 10.109.14.11:5044...
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.109.14.11
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK

The following prompts when I run the service:

|018-10-24T12:47:09.437+0800|ERROR|logstash/async.go:256|Failed to publish events caused 
by: write tcp 10.109.14.14:45073->10.109.14.11:5044: wsasend: An existing connection was 
forcibly closed by the remote host.|
|---|---|---|---|
|2018-10-24T12:47:10.441+0800|ERROR|pipeline/output.go:121|Failed to publish events: write 
tcp 10.109.14.14:45073->10.109.14.11:5044: wsasend: An existing connection was forcibly 
closed by the remote host.|
|2018-10-24T12:47:10.441+0800|INFO|pipeline/output.go:95|Connecting to 
backoff(async(tcp://10.109.14.11:5044))|
|2018-10-24T12:47:10.456+0800|INFO|pipeline/output.go:105|Connection to 
backoff(async(tcp://10.109.14.11:5044)) established|

Can I have some further suggestions on how to see if the issue is between logstash and Winlogbeat.


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.