How to collect windows event logs using Logstash?

amruth · June 19, 2017, 2:22pm

Hi, I am trying to collect Windows event logs through logstash, but it's giving me an error as,

10:19:40.614 [LogStash::Runner] ERROR logstash.agent - Cannot load an invalid configuration {:reason=>"Couldn't find any input plugin named 'eventlog'. Are you sure this is correct? Trying to load the
eventlog input plugin resulted in this error: Problems loading the requested plugin named eventlog of type input. Error: NameError NameError"}

And also I have read that Winlogbeat is the best method to capture Windows Event logs. Can you please suggest what to use? Here is the config I am using. Any help is highly appreciated.

input{
eventlog {
type => 'Win32-EventLog'
logfile => 'System'
}
}
output{
stdout {
codec=>rubydebug
}
}

Christian_Dahlqvist · June 19, 2017, 2:26pm

This is exactly what Winlogbeat was designed for, so I would recommend using that instead.

amruth · June 19, 2017, 2:49pm

Thanks for your quick reply Christian. I will use Winlogbeat. Thanks again

amruth · June 19, 2017, 3:04pm

Christian - Do you have any idea why it is throwing errors? I've tried installing 'logstash-input-eventlog', but it's still throwing the same error.

Christian_Dahlqvist · June 19, 2017, 3:20pm

I am not a Windows user, so will unfortunately not be able to help.

system · July 17, 2017, 3:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.