Regarding FileBeats Configuration Issues

RainZ · November 11, 2025, 9:29am

I have set up an ELK server currently in the testing phase. I deployed a Filebeats instance on a Windows Server to collect logs from Application, Security, System, and Windows PowerShell. However, my Logstash is only capturing Security logs at present. I have verified on Windows that the log channels and quantities are correct. Please provide suggestions for improvement. Below are my Logstash and Filebeats configuration files.

logstash.conf

input {
beats {
port => 5044
host => "0.0.0.0"

# Add debug fields to track host information

add_field => {
"beats_host" => "%{\[host\]\[name\]}"
"original_agent_name" => "%{\[agent\]\[name\]}"
}
}
}

filter {

if \[agent\]\[name\] {
mutate {
replace => { "host" => "%{\[agent\]\[name\]}" }
}
}

mutate {
convert => {
"host" => "string"
"\[host\]\[name\]" => "string"
"\[agent\]\[name\]" => "string"
}
}
}

output {
elasticsearch {
hosts => \["http://localhost:9200"\]
index => "logs-%{+YYYY.MM.dd}"
user => "elastic"
password => "My password"
}

stdout {
codec => rubydebug
}
}

filebeats.yml


filebeat.inputs:

* type: winlog
  name: Application
  #id: "Windows-App_IP"
  ignore_older: 72h
  tags: \["windows", "Application_eventlog"\]

* type: winlog
  name: Security
  #id: "Windows-Sec_IP"
  ignore_older: 72h
  tags: \["windows", "Security_eventlog"\]

* type: winlog
  name: System
  #id: "Windows-Sys_IP"
  ignore_older: 72h
  tags: \["windows", "System_eventlog"\]

* type: winlog
  name: Windows PowerShell
  #id: "Windows-PS_IP"
  ignore_older: 72h
  tags: \["windows", "Windows_PowerShell_eventlog"\]

processors:

* add_host_metadata:
  netinfo.enabled: false

name: "IP"

output.logstash:
hosts: \["ELKIP:5044"\]

Tortoise · November 14, 2025, 9:32am

Hello @RainZ

Welcome to the Community!!

As per your comments , filebeat is able to capture the Security logs from the Host & able to forward to elasticsearch via logstash & below is the configuration in filebeat.yml , right? :

- type: winlog
  name: Security
  #id: "Windows-Sec_IP"
  ignore_older: 72h
  tags: \["windows", "Security_eventlog"\]

So in elasticsearch you see records with above tags but not for other winlog type?

Please check the filebeat logs/logstash logs in order to understand why the other events are not sent to Elasticsearch search.

Thanks!!

leandrojmp · November 14, 2025, 12:11pm

Hello,

Why are you scaping the square brackets in both your logstash.conf and filebeat.yml?

You should not do that.

Rios · November 14, 2025, 12:17pm

Also, why don't you use winlogbeat?

Topic		Replies	Views
Using both Filebeat and Winlogbeat Beats filebeat	3	4590	November 8, 2017
Windows Eventlogs are not recieved at Elasticsearch via Filebeat Beats filebeat	4	1337	June 23, 2016
Error between filebeat and logstash Beats filebeat	8	948	January 4, 2018
Winlogbeat not outputting to Logstash Beats winlogbeat	14	6080	September 6, 2016
Sending Event Logs and Log Files Beats winlogbeat	15	4968	September 19, 2018

Regarding FileBeats Configuration Issues

Related topics