winlogbeat config setup

[angusyang1130]

Hi TA, I have two questions to ask:

1. I want to set up the configuration of the winlogbeat and I am on step 3, but it says "more than one configured accessing output, what is the problem I might have met?
2. Is the elastic.zip file need to be launched on the Ubuntu VM? If so, I am not sure how to install the docker first before docker-compose up

[dsnslab]

1. Maybe you can get some hints from the reference below. They are the others environment issues before. Try to figure out what the output meaning in the winlogbeat.yml, we also supply the official document about the output of winlogbeat below. Github Issue : #41 Logstash-output: https://www.elastic.co/guide/en/beats/winlogbeat/current/logstash-output.html Elasticsearch-output: https://www.elastic.co/guide/en/beats/winlogbeat/current/elasticsearch-output.html

2. The error seem to be permission error. Add the 'sudo' before the docker command. Please check if there are 4 containers under your Ubuntu VM. You can check it with 'docker ps -a' command. If there is permission error, then you should add 'sudo'. If there are actually 4 containers under your Ubuntu VM, just run 'docker-compose up'.

[crystal0523]

Hi, TA, I have the same question of winlogbeat setting: After I run PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1. , the system show: Status : Stopped Name : winlogbeat DisplayName : winlogbeat But when I started to run .\winlogbeat.exe setup -e , it shows up the error message: I'm wondering if there's something I missed? thanks!

[dsnslab]

The message shown after PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1 means that you've already installed the service, but haven't started yet.

For installing winlogbeat, please refer to this response.

Besides, the error message in the screenshot seems not to be .\winlogbeat.exe setup -e as you mentioned.

[angusyang1130]

Hi TA, I think I have figured out the previous problem, but now I have some questions about kibana:

1. I am on the step to set up the dashboard to kibana by powershell, but it says the version is not right or something like that, I am not sure how to solve it
2. I think I have gotten into the kibana website, but I am not sure if the setting is right, and I didn't receive any log yet ( it says error)

[dsnslab]

Hi. You do not need to set up the dashboard to kibana from Powershell. You could ignore this step and try to start the service directly.

[angusyang1130]

Thank you TA, but now when I type in "Start-Service winlogbeat", it says could not find the service, is there anything I might do wrong during the configuration?

[dsnslab]

@angusyang1130, looks like you forgot to install the service first.

[angusyang1130]

Hi TA, Right, I did not notice that, thank you for pointing out. Right now I am trying to debug the configuration of winlogbeat service( the command "./winlogbeat -e", but there are some errors, it says there are some problems on the dashboard and kibana version, I am not sure how to solve it.

[dsnslab]

Please refer to #37. The question and the response may help.

Feel free to ask if other problems still exist.

[angusyang1130]

Hi TA, I have looked at #37, but I have already commented the setting of output.elasticsearch, should I do something do something else?

[dsnslab]

Please verify that the error originates from winlogbeat -e. The screenshot you posted looks similar to the output of winlogbeat setup -e

Did you remember to uncomment output.logstash as well?

[angusyang1130]

Hi TA, here are screenshots of powershell and winlogbeat.yml

[dsnslab]

It seems that your winlogbeat is still trying to set up the dashboard on the Kibana. Please check if you set the setup.dashboards.enabled to true in your configuration file. This option should be commented out or be set to false.

If the problem still exists, you could try to get a clean winlogbeat.example.yml and only re-config the necessary settings.

[angusyang1130]

HI TA, Yes, I did set it to true, I can get the winlogbeat logs now, but may I ask that is screen savor dismiss means to set up in group policy "stop screen saver" or just set the screen saver to "close" from the computer