Log shipping question

jarves · August 2, 2017, 8:24am

Hi,

I'm new to ELK. My setup is I have a dedicated server for ELK and I have two servers to which I will get the logs which are windows event logs. Here are my questions:

Do I need to install a log shipper for each of my 2 servers(source of logs)? What logs shipper is the best?

What really happens when logs are shipped to ELK? Are the logs copied to the ELK server making it the central repository of logs?

Since in windows logs are archived when it reaches a certain file size, can ELK be able to read archived windows event logs?

Thanks!

warkolm · August 2, 2017, 10:24am

FYI we’ve renamed ELK to the Elastic Stack, otherwise beats feels left out

Yes, and given these are Windows event logs then winlogbeat is the best one.

They are copied/sent to Elasticsearch.

That I don't know sorry! There is Configure Winlogbeat | Winlogbeat Reference [8.11] | Elastic but not sure what happens if they are archived by Windows.

Topic		Replies	Views
Winlogbeat and Reading Log Files Beats winlogbeat	5	4457	April 12, 2016
Log archiving - Difference between ES vs LS Beats winlogbeat	5	897	December 28, 2017
How to get logs of company in one system? Beats winlogbeat	5	533	April 30, 2019
Can Filebeat ship the below type of log files? Or WInlogbeat? Beats filebeat	2	304	April 7, 2020
Send real-time logs from windows server to ELK stack Beats	2	1452	March 31, 2017

Log shipping question

Related topics