I am using filebeat to pull aws cloudwatch logs for an aws Active Directory service. So, the "message" property of the cloudwatch log record is the Windows Event log record. I would like to use winlogbeat module to process the Windows Event records and then store that in elastic.
So, filebeat pulls logs from Cloudwatch and passes "message" property values to winlogbeat and then onto elastic.
Is there a simple way to set up this pipeline without using logstash or other intermediary?
I don't think you can do this with Winlogbeat, as it expects to be able to read directly from the OS event logger. It doesn't have any inputs you can tell it to read from other locations.
The newest versions of filebeat have a processor to decide windows event logs, Decode XML Wineventlog | Filebeat Reference [8.2] | Elastic. u could probably use that and then send the data to the correct winlogbeat pipeline in Elasticsearch.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.