Winlogbeat TLS Connection to Logstash


(Dore Mon) #1

Hi,

I've configured winlogbeat on a Windows Server 2012. However it doesn't work if I enable the tls option. I've tried turning off tls on both client side (winlogbeat config) and on server side (logstash beats input) and it works perfectly pushing all the eventlogs.

Doesn't winlogbeat offcialy support use of tls yet?


(Andrew Kroh) #2

Winlogbeat supports using TLS on the Logstash output. Can you post the configuration that you are using for Winlogbeat and for Logstash. Also, what errors are you seeing?


Winlogbeat can't start the service (Solved)
(Dore Mon) #3

Hi,

I receive the following error when I enable tls on both logstash server and in winlogbeat client

INFO Connecting error publishing events (retrying): dial tcp 10.10.10.20:5045: connectex: No connection could be made because the target machine actively refused it.

Following are the configurations

winlogbeat.yml

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml

  event_logs:
    - name: Application
    - name: Security
    - name: System
    - name: Windows PowerShell

output:
  logstash:
    hosts: ["10.10.10.20:5045"]

  tls:
    certificate_authorities: ["C:/ProgramData/winlogbeat/logstash-forwarder.crt"]

logging:
  to_files: true
  files:
    path: C:/ProgramData/winlogbeat/Logs
  level: info

02-beats-input.conf

input {
  beats {
    port => 5045
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

(Steffen Siering) #4

Any log from logstash? Any firewall rules preventing winlogbeat from connecting to logtash? Can you try without TLS to verify connection can be established.


(paul) #5

Same for me too. How can setting up Linux be easier than windows?? I'm going to try changing the format of the certificate. However since you have tried turning off TLS doesn't offer much hope. Is there anyone who has winlogbeats sending to logstash?


(Andrew Kroh) #6

Take a look at Using TLS between Beats and Logstash. I tried to capture some of the common problems with TLS and some debugging steps. Please let me know if it helps.


(Emmanuel Garcia) #7

I got mine working. I disabled the tls / ssl from 02-beats-input.conf and yml in my windows machine.


(Steffen Siering) #8

You sure you want to disable tls?


(Dore Mon) #9

Andrewkroh,

Thanks for sharing. I will try that and get back if it works.


(paul) #10

Hi, thanks for the response. Excited about ELK.

Where would you expect to find Beats Logstash output configuration? Eventhough have installed beats, no actual dir. Is it a plugin? default loc of conf file would help Tried the doc link. Also fully up and running from Filebeat pov through TLS.

Windows is proving more problematic! YAML edit passes YAML validator but getting an 1053 error when trying to start the winbeatlog service on a 2012 server.

Thanks for your input


(Andrew Kroh) #11

See the getting started guide: https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html The config file will be in the directory where you unzipped the download. There are no plugins, just the one EXE file.

Instead of starting Winlogbeat as a service, when debugging problems it is better to start the process on the command line and run it in the foreground. This way you can immediately see the errors.

So open a PowerShell prompt and change the directory to the location where you unzipped it (see the getting started guide).

PS C:\where\you\extracted\winlogbeat > .\winlogbeat.exe -c winlogbeat.yml -e -v

Add -d "*" if you want event more verbose output.

Once you have it running without errors, then stop the process and start it as a service.


(paul) #12

Thank you that was very useful. Still not there but did stop 2 typos and a whole lotta YAML pain.

So apart from RTFM a few questions if you don't mind!
If I run the program and it fails because of "target machine activitely refused it" is there a way to escape?

thanks again


(Andrew Kroh) #13

To escape what? I don't follow...

Winlogbeat should continue to retry new connections to the host. You should be able to exit with Ctrl+C.

That sounds like a firewall issue either on the Winlogbeat machine, the network, or the destination host.


(paul) #14

Thanks, when I say escape I mean return prompt from the winlogbeat program hogging the powershell. I tried ctrl+c but it continued listening. I had to start another with a concern that I was adding more tasks on top of more.

UPDATE: Cracked it! Tis was the local AV on the client


(Andrew Kroh) #15