Winlogbeat not sending log to graylog

Question

Winlogbeat not sending log to graylog

Aguay-val opened this issue 8 years ago · 2 comments

Hi !

I'm trying to use WinlogBeat with Graylog2. But after a couple of hour i give up. I was not able to link my windows7 client using winlogbeat (latest release 1.2.2) and my graylog server (version 2).

Here my configuration file for winlogbeat.yml:

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
  event_logs:
    - name: Application
      ignore_older: 72h 
    - name: Security
    - name: System
output:
  logstash:
    hosts: ["192.168.232.123"]
    compression_level: 4
    loadbalance: false
    port: 5044
shipper:
logging:
  to_files: true
  files:
    path: C:/ProgramData/winlogbeat/Logs
    rotateeverybytes: 10485760 
  level: debug

Log file :

2016/05/03 15:03:21.098632 single.go:152: INFO send fail
2016/05/03 15:03:21.099609 single.go:159: INFO backoff retry: 1s
2016/05/03 15:03:22.100585 client.go:100: DBG  connect
2016/05/03 15:03:22.105468 client.go:146: DBG  Try to publish 14 events to logstash with window size 5
2016/05/03 15:03:41.015625 client.go:105: DBG  close connection
2016/05/03 15:03:41.021484 client.go:124: DBG  0 events out of 14 events sent to logstash. Continue sending ...
2016/05/03 15:03:41.024414 single.go:76: INFO Error publishing events (retrying): read tcp 192.168.232.230:57675->192.168.232.123:5044: wsarecv
: Une tentative de connexion a échoué car le parti connecté n'a pas répondu convenablement au-delà d'une certaine durée ou une connexion établi
e a échoué car l'hôte de connexion n'a pas répondu.
2016/05/03 15:03:41.026367 single.go:152: INFO send fail
2016/05/03 15:03:41.027343 single.go:159: INFO backoff retry: 2s
2016/05/03 15:03:43.028320 client.go:100: DBG  connect
2016/05/03 15:03:43.033203 client.go:146: DBG  Try to publish 14 events to logstash with window size 2
2016/05/03 15:04:01.944335 client.go:105: DBG  close connection
2016/05/03 15:04:01.950195 client.go:124: DBG  0 events out of 14 events sent to logstash. Continue sending ...
2016/05/03 15:04:01.952148 single.go:76: INFO Error publishing events (retrying): read tcp 192.168.232.230:57678->192.168.232.123:5044: wsarecv
: Une tentative de connexion a échoué car le parti connecté n'a pas répondu convenablement au-delà d'une certaine durée ou une connexion établi
e a échoué car l'hôte de connexion n'a pas répondu.
2016/05/03 15:04:01.955078 single.go:152: INFO send fail
2016/05/03 15:04:01.956054 single.go:159: INFO backoff retry: 4s
2016/05/03 15:04:05.957031 client.go:100: DBG  connect
2016/05/03 15:04:05.965820 client.go:146: DBG  Try to publish 14 events to logstash with window size 1
2016/05/03 15:04:24.865234 client.go:105: DBG  close connection
2016/05/03 15:04:24.872070 client.go:124: DBG  0 events out of 14 events sent to logstash. Continue sending ...
2016/05/03 15:04:24.874023 single.go:76: INFO Error publishing events (retrying): read tcp 192.168.232.230:57679->192.168.232.123:5044: wsarecv

And finally here my input Beat from graylog :

recv_buffer_size: 1048576
port: 5044
tls_key_file:
tls_enable:
tls_key_password:
tcp_keepalive:
tls_client_auth_cert_file:
tls_client_auth: disabled
override_source:
bind_address: 0.0.0.0
tls_cert_file:

Nothing in graylog server's log.
I am using the latest release of winlogbeat input from graylog marketplace.

Answer 1 · 2016-05-19T04:55:37.000Z

I am experiencing the same issue, both with and without TLS. I have topbeat running fine to this input type over the, but when pointing winlogbeat to it from Windows server 2012 no log data is received by gralog with the same messaging, rapid connection attempts and failures.

On the same server 2012 host, I am able to run collector-sidecar with nxlog and successfully read winlog events.

Looking forward to the fix :) I like using all the different beats

Answer 2 · 2016-05-20T16:23:06.000Z

I've tried to reproduce this issue with Winlogbeat 1.2.3 on Windows Server 2012 R2 Standard (Build 9600) and Graylog Beats Plugin 1.0.1 but the messages from Windows were successfully ingested by Graylog.

Please verify that the Graylog Beats Plugin has been successfully loaded, that the Beats input is listening on the correct network interface, and that the Windows machine has network access to the Graylog server.

FWIW, this is the configuration file I've been using with Winlogbeat (with 192.168.0.10 being the host running Graylog):

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
  event_logs:
    - name: Application
      ignore_older: 72h
    - name: Security
    - name: System
output:
  logstash:
    hosts: ["192.168.0.10:5044"]