Step 3: Configure Winlogbeat to use Logstash

edit

Step 3: Configure Winlogbeat to use Logstash

edit

Prerequisite

To send events to Logstash, you also need to create a Logstash configuration pipeline that listens for incoming Beats connections and indexes the received events into Elasticsearch. For more information, see the section about configuring Logstash in the Elastic Stack getting started tutorial. Also see the documentation for the Beats input and Elasticsearch output plugins.

If you want to use Logstash to perform additional processing on the data collected by Winlogbeat, you need to configure Winlogbeat to use Logstash.

To do this, you edit the Winlogbeat configuration file to disable the Elasticsearch output by commenting it out and enable the Logstash output by uncommenting the logstash section:

#----------------------------- Logstash output --------------------------------
output.logstash:
  hosts: ["127.0.0.1:5044"]

The hosts option specifies the Logstash server and the port (5044) where Logstash is configured to listen for incoming Beats connections.

For this configuration, you must load the index template into Elasticsearch manually because the options for auto loading the template are only available for the Elasticsearch output.

To test your configuration file, change to the directory where the Winlogbeat binary is installed, and run Winlogbeat in the foreground with the following options specified: ./winlogbeat test config -e. Make sure your config files are in the path expected by Winlogbeat (see Directory layout), or use the -c flag to specify the path to the config file.