Collecting Windows event log


I have read about different options to collect Windows eventlog to LogStash.
I am trying to understand what is currently the preferred way.
Moreover, since I want to do it remotely, I need to do it efficiently - performance wise.

any suggestions?

You should look at Winlogbeat.

Does WinLogBeat support remote eventlog? I did not find such settings.

It does not.

There are WMI plugin and Eventlog plugin. Both do not support remote eventlog.
There is also WinLogBeat that dont support remote as well.
There is also a documented feature for WMI here:, but first need to enhance it to support 'tail like' functionality and secondly the WMI solution is not recommnded by Microsoft for pulling eventlog data.
And last, there are discussions about nxlog with LogStash.

So what is the preffered way currently to collect windows eventlog data remotly?

I'll appreciate your thoughts.

Give nxlog a try. It does not require Java and can run with minimal resource.

nxlog on windows servers > central Logstash > ES

The problem with NXlog is that only the enterprise edition support Remote collection of Windows EventLog. More surprisingly, things like eventdata which I think is very important part of an event is only supported on the enterprise edition.

So back to square one :frowning:

Since a tool needs to continuously monitor Windows event logs and forward them to ES, I think it would be better if you have nxlog run locally on each server. Furthermore, things like security logs are a lot, so it is painful for a tool to monitor all servers and grab the logs. I'd rather use GPO to deploy nxlog and Powershell to update config and restart nxlog service from an admin workstation.