All Collections
SIEM
Windows SIEM Collector troubleshooting steps
Windows SIEM Collector troubleshooting steps

This guide will take you through the checks to carry out if your Windows SIEM collector stops logging to our SIEM platform.

Alan Butcher avatar
Written by Alan Butcher
Updated over a week ago

Check if logstash is running

We need to run Powershell to check the status of logstash. This is done by following the steps below:

  1. Press Win + R on your keyboard to open the Run dialog.

  2. Type powershell and press Ctrl + Shift + Enter (or just Enter if you see the UAC prompt) to launch PowerShell as an administrator.

  3. In Powershell type the following command:

Get-service logstash

This will output the status of logstash:

Status   Name               DisplayName
-----    ----               -----------
Running  logstash           logstash

If logstash is not running, you can start it with the following command:

Get-service logstash start

If logstash doesn't start, make a note of the error.

Check connectivity to the Defense.com SIEM platform

The next thing to check is if you're still able to get a connection through to our SIEM platform by running the following command in PowerShell:

tnc dc-edge-0.siem.bulletproof.co.uk -Port 31090

If the connection is successful you'll see a response similar to the one below showing TcpTestSucceeded as True:

ComputerName     : dc-edge-0.siem.bulletproof.co.uk
RemoteAddress    : 31.28.93.145
RemotePort       : 31090
InterfaceAlias   : Ethernet
SourceAddress    : 10.0.2.15
TcpTestSucceeded : True

If the connection is unsuccessful you'll see a response similar to the one below showing TcpTestSucceeded as False: 

WARNING: TCP connect to (31.28.93.145 : 31090) failed
WARNING: Ping to 31.28.93.145 failed with status: TimedOut

ComputerName: dc-edge-0.siem.bulletproof.co.uk
RemoteAddress: 31.28.93.145
RemotePort: 31090
InterfaceAlias: Ethernet
SourceAddress: 10.0.2.15
PingSucceeded: False
PingReplyDetails (RTT): 0 ms
TcpTestSucceeded: False

Obtain a copy of the Logstash logs

A copy of the logstash logs are very useful, as this gives us an indication as to the cause of the problem. Please provide a copy of the logstash-plain.log file, this is located at: 

C:/Program Files/logstash/logs/logstash-plain.log

Check the public IP address of your collector

Sometimes a change of Internet Service Provider can happen, or your public IP address can change. To ensure we're whitelisting the current IP address, please check and provide us with your public IP address by running the following command in PowerShell:

ipconfig

Check your keystore.jks file is valid

There can sometimes be issues with the Logstash certificate (keystore.jks file).

You can check the keystore.jks file is valid by following the steps in our support guide at:

https://help.defense.com/en/articles/8286756-how-to-check-your-keystore-jks-expiry-date-on-windows

Check your internal SSL Certificate is valid

Finally, if you're using one you need to check your internal SSL Certificate is still valid.

First, you need to find your internal SSL certificate. The path and filename of this will be found in your winlogbeat.yml file which should be in the default location:

C:/Program Files/winlogbeat/

The path to your certificate will be located on the line starting:

ssl.certificate_authorites:

Now you have the path to the certificate you will need to navigate to this, open the certificate file in Notepad, and copy and paste the content into the Certificate Decoder on the following page:

https://www.sslshopper.com/certificate-decoder.html

This will then display your certificate information including the Valid To: field.

If this date has lapsed you'll need to renew your certificate.

Please reach out to us for through a support ticket if you need assistance with doing this.

Did this answer your question?