Thanks Andrew. I updated it, and now getting this error below
H:\WinlogBeats>.\winlogbeat.exe -c winlogbeat.yml -e -d "*" -configtest
Flag --configtest has been deprecated, configtest flag has been deprecated, use
test config subcommand
2018-04-03T11:30:25.901-0700 INFO instance/beat.go:468 Home path: [H:\W
inlogBeats] Config path: [H:\WinlogBeats] Data path: [H:\WinlogBeats\data] Logs
path: [H:\WinlogBeats\logs]
2018-04-03T11:30:25.903-0700 DEBUG [beat] instance/beat.go:495 Beat met
adata path: H:\WinlogBeats\data\meta.json
2018-04-03T11:30:25.904-0700 INFO instance/beat.go:475 Beat UUID: 4afcb
bd1-4864-42d1-ad55-1e9939740496
2018-04-03T11:30:25.905-0700 INFO instance/beat.go:213 Setup Beat: winl
ogbeat; Version: 6.2.3
2018-04-03T11:30:25.909-0700 WARN instance/metrics_other.go:8 Metrics
not implemented for this OS.
2018-04-03T11:30:25.911-0700 DEBUG [beat] instance/beat.go:230 Initiali
zing output plugins
2018-04-03T11:30:25.912-0700 DEBUG [processors] processors/processor.go:
49 Processors:
2018-04-03T11:30:25.914-0700 ERROR outputs/tls.go:229 Dropping encrypt
ed pem 'RSA PRIVATE KEY' block read from c:/programdata/winlogbeat/client.key. N
o passphrase available
2018-04-03T11:30:25.917-0700 ERROR outputs/tls.go:184 Failed reading k
ey file c:/programdata/winlogbeat/client.key: no PEM blocks
2018-04-03T11:30:25.920-0700 ERROR instance/beat.go:667 Exiting: error i
nitializing publisher: 1 error: no PEM blocks c:/programdata/winlogbeat/client.k
ey
Exiting: error initializing publisher: 1 error: no PEM blocks c:/programdata/win
logbeat/client.key
The client certificate that you have configured Winlogbeat to use to authenticate to Logstash appears to be encrypted. Winlogbeat must be configured with the decryption password in order to use this client certificate. Use ssl.key_passphrase for this.
I checked again and do not see any more errors, but still yet to see logs on Kibana as I was seeing before I enabled SSL.
H:\WinlogBeats>.\winlogbeat.exe -c winlogbeat.yml -e -d "*" -configtest
Flag --configtest has been deprecated, configtest flag has been deprecated, use
test config subcommand
2018-04-03T12:20:07.186-0700 INFO instance/beat.go:468 Home path: [H:\W
inlogBeats] Config path: [H:\WinlogBeats] Data path: [H:\WinlogBeats\data] Logs
path: [H:\WinlogBeats\logs]
2018-04-03T12:20:07.191-0700 DEBUG [beat] instance/beat.go:495 Beat met
adata path: H:\WinlogBeats\data\meta.json
2018-04-03T12:20:07.195-0700 INFO instance/beat.go:475 Beat UUID: 4afcb
bd1-4864-42d1-ad55-1e9939740496
2018-04-03T12:20:07.198-0700 INFO instance/beat.go:213 Setup Beat: winl
ogbeat; Version: 6.2.3
2018-04-03T12:20:07.201-0700 WARN instance/metrics_other.go:8 Metrics
not implemented for this OS.
2018-04-03T12:20:07.204-0700 DEBUG [beat] instance/beat.go:230 Initiali
zing output plugins
2018-04-03T12:20:07.207-0700 DEBUG [processors] processors/processor.go:
49 Processors:
2018-04-03T12:20:07.216-0700 INFO pipeline/module.go:76 Beat name: SQLPR
ODUCTION
2018-04-03T12:20:07.218-0700 INFO beater/winlogbeat.go:56 State will be re
ad from and persisted to H:\WinlogBeats\data\.winlogbeat.yml
2018-04-03T12:20:07.221-0700 DEBUG [eventlog] eventlog/factory.go:129
Using highest priority API, wineventlog, for event log Application
2018-04-03T12:20:07.226-0700 DEBUG [winlogbeat] beater/winlogbeat.go:83
Initialized EventLog[Application]
2018-04-03T12:20:07.229-0700 DEBUG [processors] processors/processor.go:
49 Processors:
2018-04-03T12:20:07.232-0700 DEBUG [eventlog] eventlog/factory.go:129
Using highest priority API, wineventlog, for event log Security
2018-04-03T12:20:07.236-0700 DEBUG [winlogbeat] beater/winlogbeat.go:83
Initialized EventLog[Security]
2018-04-03T12:20:07.239-0700 DEBUG [processors] processors/processor.go:
49 Processors:
2018-04-03T12:20:07.241-0700 DEBUG [eventlog] eventlog/factory.go:129
Using highest priority API, wineventlog, for event log System
2018-04-03T12:20:07.245-0700 DEBUG [winlogbeat] beater/winlogbeat.go:83
Initialized EventLog[System]
2018-04-03T12:20:07.248-0700 DEBUG [processors] processors/processor.go:
49 Processors:
2018-04-03T12:20:07.251-0700 WARN [cfgwarn] instance/beat.go:283
DEPRECATED: -configtest flag has been deprecated, use configtest subcommand Will
be removed in version: 6.0
Config OK
2018-04-03T12:20:07.251-0700 INFO [monitoring] log/log.go:97 Starting
metrics logging every 30s
2018-04-03T12:20:07.260-0700 INFO [monitoring] log/log.go:132 Total no
n-zero metrics {"monitoring": {"metrics": {"libbeat":{"config":{"module":{"runn
ing":0}},"output":{"type":"logstash"},"pipeline":{"clients":0,"events":{"active"
:0}}},"uptime":"{\"server_time\":\"2018-04-03T19:20:07.2608827Z\",\"start_time\"
:\"2018-04-03T19:20:07.1688735Z\",\"uptime\":\"92.0092ms\",\"uptime_ms\":\"92009
\"}"}}}
2018-04-03T12:20:07.269-0700 INFO [monitoring] log/log.go:133 Uptime:
155.6081ms
2018-04-03T12:20:07.272-0700 INFO [monitoring] log/log.go:110 Stopping
metrics logging.
Have you started the Beat since then (without -configtest)? Run Winlogbeat for a few minutes and post the logs. If you want it to resend all data you can delete the registry file at C:\ProgramData\winlogbeat\.winlogbea.tyml before starting Winlogbeat
Your Logstash config doesn't match up with the recommendations in the Beats documentation. See Setup Logstash. And you must load the index template into Elasticsearch manually because the options for auto loading the template are only available for the Elasticsearch output.
And setting type => "logs" doesn't do anything because the value is already set by Winlogbeat. See type in the Logstash beats input docs for the details.
The above Logstash config looks good. Is this what was running when you ran the winlogbeat test output command?
It seems like Logstash is rejecting the client certificate. Though I think to confirm that you will need to look at the logs on the server side (Logstash). Is the client certificate signed by what's in C:/temp/WinlogBeatsSSL/Certificates/RootCA.crt? Are there any details in the Logstash log output?
Ok had to re-create my certs again because was seeing 'bad key' on logstash errors, and got no more errors running .\winlogbeat.exe test output -e -d "*"
H:\WinlogBeats> .\winlogbeat.exe test output -e -d "*"
2018-04-03T16:00:34.805-0700 INFO instance/beat.go:468 Home path: [H:\W
inlogBeats] Config path: [H:\WinlogBeats] Data path: [H:\WinlogBeats\data] Logs
path: [H:\WinlogBeats\logs]
2018-04-03T16:00:34.810-0700 DEBUG [beat] instance/beat.go:495 Beat met
adata path: H:\WinlogBeats\data\meta.json
2018-04-03T16:00:34.813-0700 INFO instance/beat.go:475 Beat UUID: 4afcb
bd1-4864-42d1-ad55-1e9939740496
logstash: corputility001w:5044...
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.100.244, 192.168.100.245
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
You could try deleting the registry file to see if it then resends all data.
Do you have more than this one client sending data to Logstash? Is there any other client that could be misconfigured. The exception should an IP and port associated with the client.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.