Howto config winlogbeat + logstash + elasticsearch?

Elastic Stack Logstash
1 
Config winlogbeat:
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: System
  - name: Security
  - name: Microsoft-Windows-Sysmon/Operational
  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
  - name: ForwardedEvents
    tags: [forwarded]
setup.template.settings:
  index.number_of_shards: 1
output.logstash:
  hosts: ["IP_EXAMPLE:3333"]
  ssl.certificate_authorities: ["C:/Program Files/winlogbeat/ca_logstash_cert.pem"]
  ssl.certificate: "C:/Program Files/winlogbeat/logstash_server.crt"
  ssl.key: "C:/Program Files/winlogbeat/logstash_server.key"
  verification_mode: certificate
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  -
Config logstash: 

input {
  beats {
    port => 3333
    ssl_enabled => true
    ssl_certificate_authorities => "/etc/logstash/certs/ca_logstash_cert.pem"
    ssl_certificate => "/etc/logstash/certs/logstash_server.crt"
    ssl_key => "/etc/logstash/certs/logstash_server.key"
    ssl_client_authentication => "required"
    type => winlogbeat
  }
}
filter {
if [type] == "winlogbeat"{
    mutate { add_field => { "[@metadata][pipeline]" => "winlogbeat-%{[agent][version]}-routing" } }
  } else if !([@metadata][pipeline]) {
    mutate { add_field => { "[@metadata][pipeline]" => "" } }
}
}  
output {
  elasticsearch {
    ssl_enabled => true
    hosts => ["https://localhost:9200"]
    ssl_verification_mode => none
    ssl_certificate_authorities => "/etc/pki/tls/certs/ca_authorities.crt"
    api_key => "adfadfadfdafadfadkjj323i4uiu4" 
    data_stream => auto
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
    action => "create"
  } 	  
}

This configuration not work. why ? which problem?
I imported template and dashboard winlogbeat.
I am use winlogbeat 8.17.1, logstash 8.17.1 and elasticsearch 8.17.1.
The dashboard becomes empty.
The template does not recognize logs winlogbeat.

2

What errors do you get? What do you see in the winlogbeat and logstash logs?

3

Screenshot From 2025-02-11 23-17-43
Screenshot From 2025-02-11 23-17-43490×306 23.8 KB

4

It is not recognizing some tags.
Example:
related.user
user.domain
user.id
user.name

Screenshot From 2025-02-11 23-26-25
Screenshot From 2025-02-11 23-26-25185×538 15.1 KB

5

When i configuration winlogbeat with elasticsearch. The tags work.

Screenshot From 2025-02-11 23-29-48
Screenshot From 2025-02-11 23-29-48339×454 6.59 KB

6

Screenshot From 2025-02-11 23-34-20
Screenshot From 2025-02-11 23-34-201887×751 63.5 KB

7

What is the index name when you send it directly to Elasticsearch?

The beats on version 8 creates data stream, and data streams have a different naming schema.

This is not correct:

index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"

It should be just as the example in the documentation

index => "%{[@metadata][beat]}-%{[@metadata][version]}"
8

Same problem. I tested.
I think this is the problem.
Tags: beats_input_codec_plain_applied and
_ignored:[event.original.keyword, message.keyword]

9

When i use winlogbeat with elasticsearch i don't see "beats_input_codec_plain_applied" and "_ignored:[event.original.keyword, message.keyword]".

10

What is the name of the index when you send directly to Elasticsearch? You didn't share it.

Please provide more context to make it clear to where winlogbeat is writing the events when using Logstash and when using Elasticsearch.

Also, You need to change your pipeline to something like the one in the documentation.

Your logstash output does not have information about which pipeline the request should use when arriving into Elasticsearch, you need to have a pipeline setting in your logstash output as described in the documentation, without it your message will note be fully parsed and some fields will be missing.

Remove your filter block, your output should be something like this:

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => ["https://localhost:9200"]
      ssl_enabled => true
      ssl_verification_mode => none
      ssl_certificate_authorities => "/etc/pki/tls/certs/ca_authorities.crt"
      api_key => "adfadfadfdafadfadkjj323i4uiu4" 
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}" 
      action => "create" 
      pipeline => "%{[@metadata][pipeline]}" 
    }
  } else {
    elasticsearch {
      hosts => ["https://localhost:9200"]
      ssl_enabled => true
      ssl_verification_mode => none
      ssl_certificate_authorities => "/etc/pki/tls/certs/ca_authorities.crt"
      api_key => "adfadfadfdafadfadkjj323i4uiu4" 
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}" 
      action => "create" 
    }
  }
}
11

Now it's working.

input {
  beats {
    port => 5044
    ssl_enabled => true
    ssl_certificate_authorities => "/etc/logstash/certs/ca_logstash_cert.pem"
    ssl_certificate => "/etc/logstash/certs/logstash_server.crt"
    ssl_key => "/etc/logstash/certs/logstash_server.key"
    ssl_client_authentication => "required"
    enrich => none
  }
}
output {
    elasticsearch {
      hosts => ["https://localhost:9200"]
      ssl_enabled => true
      ssl_verification_mode => none
      ssl_certificate_authorities => "/etc/pki/tls/certs/ca_authorities.crt"
      api_key => "adfadfadfdafadfadkjj323i4uiu4" 
      data_stream => false
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}" 
      pipeline => "%{[@metadata][beat]}-%{[@metadata][version]}-routing"
      action => "create" 
    }
}
12

Thank you so much. I will study more about pipeline.

13

Elastic agent sending direct to Elastic is the more modern method. Then use System, Windows and any other integrations as needed.

14

Exact Rugenl, but i need send log to syslog and elasticsearch. Winlogbeat don´t do this. :slight_smile: