I've configured winlogbeat on a Windows Server 2012. However it doesn't work if I enable the tls option. I've tried turning off tls on both client side (winlogbeat config) and on server side (logstash beats input) and it works perfectly pushing all the eventlogs.
Doesn't winlogbeat offcialy support use of tls yet?
Winlogbeat supports using TLS on the Logstash output. Can you post the configuration that you are using for Winlogbeat and for Logstash. Also, what errors are you seeing?
I receive the following error when I enable tls on both logstash server and in winlogbeat client
INFO Connecting error publishing events (retrying): dial tcp 10.10.10.20:5045: connectex: No connection could be made because the target machine actively refused it.
Any log from logstash? Any firewall rules preventing winlogbeat from connecting to logtash? Can you try without TLS to verify connection can be established.
Same for me too. How can setting up Linux be easier than windows?? I'm going to try changing the format of the certificate. However since you have tried turning off TLS doesn't offer much hope. Is there anyone who has winlogbeats sending to logstash?
Take a look at Using TLS between Beats and Logstash. I tried to capture some of the common problems with TLS and some debugging steps. Please let me know if it helps.
Where would you expect to find Beats Logstash output configuration? Eventhough have installed beats, no actual dir. Is it a plugin? default loc of conf file would help Tried the doc link. Also fully up and running from Filebeat pov through TLS.
Windows is proving more problematic! YAML edit passes YAML validator but getting an 1053 error when trying to start the winbeatlog service on a 2012 server.
Instead of starting Winlogbeat as a service, when debugging problems it is better to start the process on the command line and run it in the foreground. This way you can immediately see the errors.
So open a PowerShell prompt and change the directory to the location where you unzipped it (see the getting started guide).
Thank you that was very useful. Still not there but did stop 2 typos and a whole lotta YAML pain.
So apart from RTFM a few questions if you don't mind!
If I run the program and it fails because of "target machine activitely refused it" is there a way to escape?
Thanks, when I say escape I mean return prompt from the winlogbeat program hogging the powershell. I tried ctrl+c but it continued listening. I had to start another with a concern that I was adding more tasks on top of more.
UPDATE: Cracked it! Tis was the local AV on the client
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.