Breadcrumbs

Common Issues

  1. ESKM logs not being received in Elasticsearch

  • Restart Filebeat:

    #Restart-Service filebeat

  • Check Filebeat logs:

    #Get-Content "C:\ProgramData\filebeat\logs\filebeat" -Wait

  • Verify Syslog port is listening (UDP/TCP 514):

    #netstat -ano | findstr 514

  • Allow Syslog in Windows Firewall:

    #New-NetFirewallRule -DisplayName "Syslog 514" -Protocol UDP -LocalPort 514 -Action Allow

  1. Cannot log in to Elasticsearch (username/password prompt failing)

  • Use the correct admin credentials configured during setup.

  • If the password is forgotten, reset it:

    #.\elasticsearch-reset-password.bat -u elastic

  1. Elasticsearch not starting (certificate errors)

  • Confirm the instance.yml contains the correct IP and hostname.

  • Regenerate certificates using:

    & "C:\Users\Utimaco\Downloads\elasticsearch-9.2.0-windows-x86_64\elasticsearch-9.2.0\bin\elasticsearch-certutil.bat" cert --ca "C:\certs\elastic-stack-ca.p12" --in "C:\certs\instance.yml" --out "C:\certs\certs.zip" --pem

  • Replace node.crt, node.key, ca.crt in the config path.

  • Restart Elasticsearch.

  1. Filebeat service stops or configuration error

  • Test Filebeat configuration:

    #.\filebeat.exe test config

  • Run Filebeat in debug mode:

    #.\filebeat.exe -e

  • Fix YAML indentation if errors appear.