How to configure filebeat for AD logs in Cloudwatch

Hello Elastic/Beat super heroes,

I am using filebeat to pull aws cloudwatch logs for an aws Active Directory service. So, the "message" property of the cloudwatch log record is the Windows Event log record. I would like to use winlogbeat module to process the Windows Event records and then store that in elastic.

So, filebeat pulls logs from Cloudwatch and passes "message" property values to winlogbeat and then onto elastic.

Is there a simple way to set up this pipeline without using logstash or other intermediary?

Thank you!
J

I don't think you can do this with Winlogbeat, as it expects to be able to read directly from the OS event logger. It doesn't have any inputs you can tell it to read from other locations.

The newest versions of filebeat have a processor to decide windows event logs, Decode XML Wineventlog | Filebeat Reference [8.2] | Elastic. u could probably use that and then send the data to the correct winlogbeat pipeline in Elasticsearch.

1 Like

Oh that's neat!