We would like to pull windows logs from a remote computer -- actually it is a NAS/CIFS server running on an EMC storage server -- so no way to run winlogbeat locally.
From the event viewer on a windows computer I can connect to this "server" and see normal looking classic Windows event logs. Can winlogbeat be used to get these logs into ELK? If not, any ideas how to do this?
Winlogbeat can't do remote logs sorry.
If you can connect from Event Viewer on a remote machine, then you should be able to setup an Event Subscription where the remote computer pulls the events from the NAS into the ForwardedEvents log on the remote Windows machine. Then you setup Winlogbeat to monitor the ForwardedEvents log.
This feature is built into MS Vista and newer operating systems and is my preferred approach to collecting remote event logs.
Thanks! I'll give it a try.
Unfortunately I cannot create a subscription to this NAS server - no WinRM service.
One thing I found that could work is the MS LogParser to reach the logs and select out records to a CSV file. What are my options to get this into Logstash? Is there anyway I can utilize the new winlogbeat eventlog record fields to filter and format the log data? I do have some newbie experience with filebeat, if this is the way to do it.
Any other suggestions?
Thank you for your help.
You could run Logstash on the same machine as the CSV file and use the file input with a CSV filter.
No, but based on this use case where you can't use the WinRM service, I will put remote event logs back on the list of features to consider adding.
Ok, thanks for the help. I will do this.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.