WinlogBeats not making it through to Elastic

The current setup is My Workstation > Logstash > ElasticSearch

I can see via tcpdump that i am getting traffic from my host to logstash although its not what i would expect to see, i also dont see any traffic leaving the logstash box to Elastic search. Below are the Beats, pipeline.yml, and winlogbeats.conf in the /etc/logstah/conf.d configurations. Also yes, i manually loaded the template and got the successful return. Yes i can curl 9200 of the elastic server.

Am i missing something?

Logstash config:

input {
beats {
port => 5044
}
}

output {
elasticsearch {
hosts => "192.168.20.35:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}

Pipeline config:

  • pipeline.id: WindowsHostLogging
    path.config: "/etc/logstash/conf.d/windows-host-logs.conf"

Beats config:

winlogbeat.event_logs:

  • name: Security
    event_id: -5156, -5152, -5158

setup.template.settings:
index.number_of_shards: 3

output.logstash:
hosts: "192.168.1.243:5044"

I only see SYN packets from my host to log stash. nothing from logstash to elastic:

15:26:45.840311 IP 192.168.1.182.54357 > 192.168.1.243.5044: Flags [S], seq 2101056925, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:26:48.841634 IP 192.168.1.182.54357 > 192.168.1.243.5044: Flags [S], seq 2101056925, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:26:54.850542 IP 192.168.1.182.54357 > 192.168.1.243.5044: Flags [S], seq 2101056925, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

I assume that tcpdump is running on the machine running the filebeat. Do you see the same packets on the machine running logstash?

Could be a firewall is blocking the traffic.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.