Discussion in 'Install Logstash and Kibana on a Windows server.' started by zen.xen, Mar 21, 2016.

  zen.xen

    zen.xen

    I have troubles with configuration winlogbeat for windows, I install this in Powershell, the result is below:

    PS C:\winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -configtest -e
    2016/03/21 17:51:56.872778 geolite.go:24: INFO GeoIP disabled: No paths were set under output.geoip.paths
    2016/03/21 17:52:17.896676 outputs.go:119: INFO Activated elasticsearch as output plugin.
    2016/03/21 17:52:17.896676 publish.go:288: INFO Publisher name: ultimate
    2016/03/21 17:52:17.898675 async.go:78: INFO Flush Interval set to: 1s
    2016/03/21 17:52:17.899675 async.go:84: INFO Max Bulk Size set to: 50
    2016/03/21 17:52:17.899675 beat.go:147: INFO Init Beat: winlogbeat; Version: 1.1.2
    2016/03/21 17:52:17.900675 winlogbeat.go:87: INFO State will be read from and persisted to C:\ProgramData\winlogbeat\.winlogbeat.yml
    2016/03/21 17:52:17.900675 checkpoint.go:258: INFO Creating C:\ProgramData\winlogbeat if it does not exist.

    in winlogbeat.yml in section "Output" I made change in hosts,

    hosts: [""] is my server with ELK software,

    I don't know what change more in order to my client machine could connect to server.
    I checked winlogbeat logs and found this information:

    2016-03-21T18:53:56+01:00 INFO Connecting error publishing events (retrying): Head dial tcp connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
    2016-03-21T18:53:56+01:00 INFO send fail
    2016-03-21T18:53:56+01:00 INFO backoff retry: 2s

    What am I doing wrong, that client machine can't connect to server?
  sbagmeijer

    sbagmeijer

    Are you running everything on the same server or separate servers?
    In case of separate servers are your firewalls configured to allowed the traffic?
  zen.xen

    zen.xen

    Everything is on the same server, firewall is turned off on server and client
  sbagmeijer

    sbagmeijer

    I never actually tried winlogbeat, if you cannot get it resolved before next weekend I can setup a small test environment to see if I can get it to work.
    Currently little busy with Easter around the corner so not much time to test at the moment.
  zen.xen

    zen.xen

    no problem, I'll try to find solution, what do you use instead winlogbeat?
  sbagmeijer

    sbagmeijer

    We currently still use Nxlog, our plan was to move to the Beats (winlogbeat) programs instead but it is down prioritised :) so since Nxlog currently works there is no hurry moving it.
  zen.xen

    zen.xen

    I see, you are using Nxlog, could you share how to configure it on both sides, server and client, maybe this will be a little bit easier then winlogbeat?
  zen.xen

    zen.xen

    I found solution, winlogbeat works and sends logs, solution is below:

    In more recent versions of ElasticSearch (i.e. v 2.0 onwards) you’ll need to adjust the configuration to open it up to the outside world as it only listens to localhost by default. This is done by adding the following line to your config/elasticsearch.yml file:

    network.bind_host: 0
  zen.xen

    zen.xen

    I tried to run Nxlog because it has one feature that winlogbeat doesn't have (I haven't found), Nxlog can exclude selected events from sending to ELK server. Nxlog has port that is used to sending events but I don't know where the same port should be set in ELK, could you share your configuration?
  sbagmeijer

    sbagmeijer

    I updated the tutorial to include all beats also winlogbeat it worked out of the box for you so please have a look and see if it resolves your problems also.

    Winlogbeat Dashboard:

