I have set up an ELK server currently in the testing phase. I deployed a Filebeats instance on a Windows Server to collect logs from Application, Security, System, and Windows PowerShell. However, my Logstash is only capturing Security logs at present. I have verified on Windows that the log channels and quantities are correct. Please provide suggestions for improvement. Below are my Logstash and Filebeats configuration files.
logstash.conf
input {
beats {
port => 5044
host => "0.0.0.0"
# Add debug fields to track host information
add_field => {
"beats_host" => "%{\[host\]\[name\]}"
"original_agent_name" => "%{\[agent\]\[name\]}"
}
}
}
filter {
if \[agent\]\[name\] {
mutate {
replace => { "host" => "%{\[agent\]\[name\]}" }
}
}
mutate {
convert => {
"host" => "string"
"\[host\]\[name\]" => "string"
"\[agent\]\[name\]" => "string"
}
}
}
output {
elasticsearch {
hosts => \["http://localhost:9200"\]
index => "logs-%{+YYYY.MM.dd}"
user => "elastic"
password => "My password"
}
stdout {
codec => rubydebug
}
}
filebeats.yml
filebeat.inputs:
* type: winlog
name: Application
#id: "Windows-App_IP"
ignore_older: 72h
tags: \["windows", "Application_eventlog"\]
* type: winlog
name: Security
#id: "Windows-Sec_IP"
ignore_older: 72h
tags: \["windows", "Security_eventlog"\]
* type: winlog
name: System
#id: "Windows-Sys_IP"
ignore_older: 72h
tags: \["windows", "System_eventlog"\]
* type: winlog
name: Windows PowerShell
#id: "Windows-PS_IP"
ignore_older: 72h
tags: \["windows", "Windows_PowerShell_eventlog"\]
processors:
* add_host_metadata:
netinfo.enabled: false
name: "IP"
output.logstash:
hosts: \["ELKIP:5044"\]