Regarding FileBeats Configuration Issues

RainZ · November 11, 2025, 9:29am

I have set up an ELK server currently in the testing phase. I deployed a Filebeats instance on a Windows Server to collect logs from Application, Security, System, and Windows PowerShell. However, my Logstash is only capturing Security logs at present. I have verified on Windows that the log channels and quantities are correct. Please provide suggestions for improvement. Below are my Logstash and Filebeats configuration files.

logstash.conf

input {
beats {
port => 5044
host => "0.0.0.0"

# Add debug fields to track host information

add_field => {
"beats_host" => "%{\[host\]\[name\]}"
"original_agent_name" => "%{\[agent\]\[name\]}"
}
}
}

filter {

if \[agent\]\[name\] {
mutate {
replace => { "host" => "%{\[agent\]\[name\]}" }
}
}

mutate {
convert => {
"host" => "string"
"\[host\]\[name\]" => "string"
"\[agent\]\[name\]" => "string"
}
}
}

output {
elasticsearch {
hosts => \["http://localhost:9200"\]
index => "logs-%{+YYYY.MM.dd}"
user => "elastic"
password => "My password"
}

stdout {
codec => rubydebug
}
}

filebeats.yml


filebeat.inputs:

* type: winlog
  name: Application
  #id: "Windows-App_IP"
  ignore_older: 72h
  tags: \["windows", "Application_eventlog"\]

* type: winlog
  name: Security
  #id: "Windows-Sec_IP"
  ignore_older: 72h
  tags: \["windows", "Security_eventlog"\]

* type: winlog
  name: System
  #id: "Windows-Sys_IP"
  ignore_older: 72h
  tags: \["windows", "System_eventlog"\]

* type: winlog
  name: Windows PowerShell
  #id: "Windows-PS_IP"
  ignore_older: 72h
  tags: \["windows", "Windows_PowerShell_eventlog"\]

processors:

* add_host_metadata:
  netinfo.enabled: false

name: "IP"

output.logstash:
hosts: \["ELKIP:5044"\]

Tortoise · November 14, 2025, 9:32am

Hello @RainZ

Welcome to the Community!!

As per your comments , filebeat is able to capture the Security logs from the Host & able to forward to elasticsearch via logstash & below is the configuration in filebeat.yml , right? :

- type: winlog
  name: Security
  #id: "Windows-Sec_IP"
  ignore_older: 72h
  tags: \["windows", "Security_eventlog"\]

So in elasticsearch you see records with above tags but not for other winlog type?

Please check the filebeat logs/logstash logs in order to understand why the other events are not sent to Elasticsearch search.

Thanks!!

leandrojmp · November 14, 2025, 12:11pm

Hello,

Why are you scaping the square brackets in both your logstash.conf and filebeat.yml?

You should not do that.

Rios · November 14, 2025, 12:17pm

Also, why don't you use winlogbeat?

Topic		Replies	Views
Using both Filebeat and Winlogbeat Beats filebeat	3	4637	November 8, 2017
Logs not being sent to filebeats and logstash Beats filebeat	3	300	August 13, 2023
Not accept logs when beats pointing to logstash Beats filebeat , auditbeat	10	517	May 4, 2021
Windows Eventlogs are not recieved at Elasticsearch via Filebeat Beats filebeat	4	1352	June 23, 2016
Error between filebeat and logstash Beats filebeat	8	959	January 4, 2018

Regarding FileBeats Configuration Issues

Related topics