Hi, I'm brand new to this and learning as I go slowly.
I've setup a ELK stack to store windows event logs, which had been working successfully.
I'm unclear on one point though, at present I am sending direct from winbeatlog to elasticsearch.
Will this archive all the logs it is sent historically or should I have been going winbeatlog to logstash here?
I just need to confirm in case I have missed or confused something and going straight to elastic only "streams" the latest logs for searching, can't seem to find a clear enough answer.
You only need to add in Logstash if you want to do additional processing of the data before it gets written to Elasticsearch. Like if you wanted parse something from the event or enrich it.
No matter what output you have configured in Winlogbeat the behavior will be the same. It will start reading from the beginning of the log (or from 72h ago in the case where ignore_older is set), send a batch of events to the output, wait for the output to acknowledge receipt of the events, then Winlogbeat records the last event record number from that batch to the registry_file, then it repeats.
When Winlogbeat is restarted it will resume from the record numbers stored in the registry file.
As I am trying to use Elasticsearch as the central repository and archive of our Windows server logs, I just wanted to check this is what I had actually achieved.
I'm unable to go back later than 72 hours at present to answer this simple question.... as the index has fallen over (status:red) so I thought I'd take a minute to remove this nagging doubt from my mind before continuing to troubleshoot!
Thanks for the reply and tidying up the question title.
During your testing/evaulation of Winlogbeat if you need to reset its state you can stop Winlogbeat, delete the registry file (C:\ProgramData\winlogbeat.winlogbeat.yml), and restart WLB. It will reship everything from the start of the log or point in time determined by ignore_older.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
hope I can avoid that as it was working fine right until the last server (of about 40) went on 