Configuration:
input {
beats {
port => 5044
type => "log"
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
file {
codec => line {
format => "{[%Date%]} | %{[severity]} : /%{[thread]}/ %{[loggername]} (%{[sourcemethodname]}) - %{[message]}"
}
path => "E:\ELK\Logs\Output%{host}/%{facility}-%{+yyyy-MM-dd}.log"
}
}
Log Example:
{[%Date%]} | %{[severity]} : /%{[thread]}/ %{[loggername]} (%{[sourcemethodname]}) - An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
and so on..
So the event is fine, but the format is not working exactly as intended.