Winlogbeat TLS Connection to Logstash

doremon · February 16, 2016, 4:21pm

Hi,

I've configured winlogbeat on a Windows Server 2012. However it doesn't work if I enable the tls option. I've tried turning off tls on both client side (winlogbeat config) and on server side (logstash beats input) and it works perfectly pushing all the eventlogs.

Doesn't winlogbeat offcialy support use of tls yet?

andrewkroh · February 17, 2016, 4:03am

Winlogbeat supports using TLS on the Logstash output. Can you post the configuration that you are using for Winlogbeat and for Logstash. Also, what errors are you seeing?

doremon · February 17, 2016, 2:54pm

Hi,

I receive the following error when I enable tls on both logstash server and in winlogbeat client

INFO Connecting error publishing events (retrying): dial tcp 10.10.10.20:5045: connectex: No connection could be made because the target machine actively refused it.

Following are the configurations

winlogbeat.yml

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml

  event_logs:
    - name: Application
    - name: Security
    - name: System
    - name: Windows PowerShell

output:
  logstash:
    hosts: ["10.10.10.20:5045"]

  tls:
    certificate_authorities: ["C:/ProgramData/winlogbeat/logstash-forwarder.crt"]

logging:
  to_files: true
  files:
    path: C:/ProgramData/winlogbeat/Logs
  level: info

02-beats-input.conf

input {
  beats {
    port => 5045
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

steffens · February 17, 2016, 10:08pm

Any log from logstash? Any firewall rules preventing winlogbeat from connecting to logtash? Can you try without TLS to verify connection can be established.

dickepa · February 25, 2016, 5:38pm

Same for me too. How can setting up Linux be easier than windows?? I'm going to try changing the format of the certificate. However since you have tried turning off TLS doesn't offer much hope. Is there anyone who has winlogbeats sending to logstash?

andrewkroh · February 25, 2016, 9:52pm

Take a look at Using TLS between Beats and Logstash. I tried to capture some of the common problems with TLS and some debugging steps. Please let me know if it helps.

MrServer · February 26, 2016, 5:36am

I got mine working. I disabled the tls / ssl from 02-beats-input.conf and yml in my windows machine.

steffens · February 26, 2016, 7:51am

You sure you want to disable tls?

doremon · February 29, 2016, 11:57am

Andrewkroh,

Thanks for sharing. I will try that and get back if it works.

dickepa · March 4, 2016, 3:42pm

Hi, thanks for the response. Excited about ELK.

Where would you expect to find Beats Logstash output configuration? Eventhough have installed beats, no actual dir. Is it a plugin? default loc of conf file would help Tried the doc link. Also fully up and running from Filebeat pov through TLS.

Windows is proving more problematic! YAML edit passes YAML validator but getting an 1053 error when trying to start the winbeatlog service on a 2012 server.

Thanks for your input

andrewkroh · March 4, 2016, 4:28pm

See the getting started guide: Winlogbeat quick start: installation and configuration | Winlogbeat Reference [8.11] | Elastic The config file will be in the directory where you unzipped the download. There are no plugins, just the one EXE file.

Instead of starting Winlogbeat as a service, when debugging problems it is better to start the process on the command line and run it in the foreground. This way you can immediately see the errors.

So open a PowerShell prompt and change the directory to the location where you unzipped it (see the getting started guide).

PS C:\where\you\extracted\winlogbeat > .\winlogbeat.exe -c winlogbeat.yml -e -v

Add -d "*" if you want event more verbose output.

Once you have it running without errors, then stop the process and start it as a service.

dickepa · March 8, 2016, 2:48pm

Thank you that was very useful. Still not there but did stop 2 typos and a whole lotta YAML pain.

So apart from RTFM a few questions if you don't mind!
If I run the program and it fails because of "target machine activitely refused it" is there a way to escape?

thanks again

andrewkroh · March 8, 2016, 3:17pm

To escape what? I don't follow...

Winlogbeat should continue to retry new connections to the host. You should be able to exit with Ctrl+C.

That sounds like a firewall issue either on the Winlogbeat machine, the network, or the destination host.

dickepa · March 8, 2016, 4:59pm

Thanks, when I say escape I mean return prompt from the winlogbeat program hogging the powershell. I tried ctrl+c but it continued listening. I had to start another with a concern that I was adding more tasks on top of more.

UPDATE: Cracked it! Tis was the local AV on the client