WARNING: Version 1.2 of Winlogbeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« Step 2: Configuring Winlogbeat Step 4: Loading the Index Template in Elasticsearch »
Elastic Docs Winlogbeat Reference [1.2] Getting Started With Winlogbeat

Step 3: Configuring Winlogbeat to Use Logstash

edit

Step 3: Configuring Winlogbeat to Use Logstash

edit

If you want to use Logstash to perform additional processing on the data collected by Winlogbeat, you need to configure Winlogbeat to use Logstash.

To do this, you edit the Winlogbeat configuration file to disable the Elasticsearch output by commenting it out and enable the Logstash output by uncommenting the logstash section:

output:
  logstash:
    hosts: ["127.0.0.1:5044"]

    # Optional load balance the events between the Logstash hosts
    #loadbalance: true

In this configuration, hosts specifies the Logstash server and the port (5044) where Logstash is configured to listen for incoming Beats connections.

To test your configuration file, run Winlogbeat in the foreground with the following options specified: ./winlogbeat -configtest -e.

To use this configuration, you must also set up Logstash to receive events from Beats.

« Step 2: Configuring Winlogbeat Step 4: Loading the Index Template in Elasticsearch »