Configure "Winlogbeat" for Logstash

Elastic Stack Logstash
1

Hello.
I installed "Logstash", "Elasticsearch" and "Kibana" on my Linux Box. I install Winlogbeat on my Windows server and I like to forward Windows Event Log to my Linux Box. my Winlogbeat configuration is :

#======================= Winlogbeat specific options ==========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
#  - name: Application
#    ignore_older: 72h
  - name: Security
#  - name: System

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

#================================ Outputs =====================================

# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["172.30.9.20:9200"]

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
#output.logstash:
  # The Logstash hosts
  hosts: ["172.30.9.20:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

Must I change my "Logstash" or "Elasticsearch" configuration on Linux Box?

Thank you.

2

Must I change my “Logstash” or “Elasticsearch” configuration on Linux Box?

That depends on what your Logstash or Elasticsearch configuration is and whether you want to send the data to Logstash or Elasticsearch.

Note that you've commented out the output.logstash line so that the hosts: ... line that follows is actually connected to the output.elasticsearch block a few lines up.

3

As I understand. Winlogbeat can send event log to "Elastic" or "Logstash" directly and I can do it just with "Elastic" !!!!
In your opinion, I need both of them?

4

In your opinion, I need both of them?

Not necessarily. Logstash allows further processing of events but if you don't need that you can skip it.

5

Thank you, Thus "Elastic" is enough.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.