- Winlogbeat Reference: other versions:
- Overview
- Getting Started With Winlogbeat
- Setting up and running Winlogbeat
- Upgrading Winlogbeat
- Configuring Winlogbeat
- Set up Winlogbeat
- Specify general settings
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Specify SSL settings
- Filter and Enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode JSON fields
- Decode Base64 fields
- Decompress gzip fields
- Community ID Network Flow Hash
- Convert
- Drop events
- Drop fields from events
- Extract array
- Keep fields from events
- Registered Domain
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Add Observer metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Script Processor
- Timestamp
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure project paths
- Configure the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- HTTP Endpoint
- winlogbeat.reference.yml
- Modules
- Exported fields
- Monitoring Winlogbeat
- Securing Winlogbeat
- Troubleshooting
- Get Help
- Debug
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Bogus computer_name fields are reported in some events
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Not sure how to read from .evtx files
- Contributing to Beats
Step 3: Configure Winlogbeat to use Logstash
editStep 3: Configure Winlogbeat to use Logstash
editPrerequisite
To send events to Logstash, you also need to create a Logstash configuration pipeline that listens for incoming Beats connections and indexes the received events into Elasticsearch. For more information, see the section about configuring Logstash in the Elastic Stack getting started tutorial. Also see the documentation for the Beats input and Elasticsearch output plugins.
If you want to use Logstash to perform additional processing on the data collected by Winlogbeat, you need to configure Winlogbeat to use Logstash.
To do this, you edit the Winlogbeat configuration file to disable the Elasticsearch output by commenting it out and enable the Logstash output by uncommenting the logstash section:
#----------------------------- Logstash output -------------------------------- output.logstash: hosts: ["127.0.0.1:5044"]
The hosts option specifies the Logstash server and the port (5044) where Logstash is configured to listen for incoming
Beats connections.
For this configuration, you must load the index template into Elasticsearch manually because the options for auto loading the template are only available for the Elasticsearch output.
To test your configuration file, change to the directory where the
Winlogbeat binary is installed, and run Winlogbeat in the foreground with
the following options specified: ./winlogbeat test config -e. Make sure your
config files are in the path expected by Winlogbeat (see Directory layout),
or use the -c flag to specify the path to the config file.