I'm seeking assistance with forwarding Windows Server Active Directory logs to my centralized Linux-based log server. I've set up Filebeat on the Windows Server and Logstash on the log server (linux). Despite configuring both Filebeat and Logstash, I'm not recieving the logs on logstash.
CONFIGURATION OF FILEBEAT Filebeat.yml
###################### Filebeat Configuration Example #########################
filebeat.inputs:
- type: filestream
enabled: true
paths:
- C:\Windows\System32\winevt\Logs\*
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
reload.period: 60s
setup.template.settings:
index.number_of_shards: 1
output.logstash:
hosts: ["IP Address xxx:port number"]
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
logstash conf file logstash.conf
input {
beats{
host => "IP Address"
port => "Port Num"
}
}
output{
file {
path => "/var/log/testwin.log"
codec => "line"
}
}
I've configured Filebeat to collect Windows Event Logs using an alternative method but still not recieve logs:
filebeat.inputs:
- type: winlog
event_logs:
- name: Application
ignore_older: 72h
- name: Security
- name: System
Both Filebeat and Logstash are deployed across different platforms (Windows and Linux) within the same network. Despite specifying the IP and port on both platforms, I'm still not receiving the logs.