Sending Event Logs and Log Files

Badb0y · August 3, 2018, 7:40am

Is there anybody can help me, how to configure the winlogbeat to send these logs?

define BASEDIR D:\sdfdsfs\LogFiles\zip_archive File '%BASEDIR%\www.vvv.com\u*.log' Module im_file File '%BASEDIR%\www81.vvv.com\u*.log' Module im_file File '%BASEDIR%\http_sys_logs\HTTPERR\h*.log'

How can I define this in the config yml?

I'm using 6.2.4 version and we would like to install winglobeat around 3000 servers but we should know how we can configure this.

Very appreciate any help.

The current config is basic like this:

winlogbeat.event_logs:

name: Application
ignore_older: 72h
name: Security
name: System
name: Specialeventlog
output.logstash:
hosts: ["server:5054"]

I'd like to extend this according to my table.

kvch · August 3, 2018, 8:26am

Where is that log coming from? What's the ID of that event?

andrewkroh · August 3, 2018, 2:27pm

I think you are trying to ingest a file to Elasticsearch. For that, use Filebeat. Winlogbeat only does Windows event logs. If you need to ingest both event logs and log files then install both Winlogbeat and Filebeat together on your Windows host.

Badb0y · August 5, 2018, 4:22am

Hi Noemi, I don't know yet, still waiting for the information from the team, but you are asking because if it has an id, it means it reports to one of the windows log so we can define it from the winevt directory and can filter after?

Badb0y · August 5, 2018, 4:24am

Yes, exactly, I want to ingest logs to elastic search. With filebeat for windows can ingest files and event logs as well? I just recognized we have filebeat for windows not only for linux.

kvch · August 6, 2018, 8:38am

Yes, you can use Filebeat on Windows to collect logs from files. The configuration is done the same way as on Linux.

Badb0y · August 6, 2018, 5:21pm

How about the event logs?

kvch · August 7, 2018, 11:15am

You need Winlogbeat for that. So it means that you need to run two Beats in parallel; one Filebeat to collect log files and one Winlogbeat to collect event logs.

Badb0y · August 14, 2018, 6:47am

I haven't tried this yet, but how about this one:

kvch · August 14, 2018, 6:59am

If you only need to forward logs to an output, you should go with Filebeat. It's more lightweight than Logstash. Do you want to transform and/or use advanced filtering on your logs? If yes, choose Logstash.

Badb0y · August 14, 2018, 7:10am

I just want to send logs from event logs and from files.

kvch · August 14, 2018, 7:22am

Then I think you should stick with Filebeat. You just need to configure the path to the log files and set the output. See more here on how to configure Filebeat: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-configuration.html
Getting started guide: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-getting-started.html

Badb0y · August 14, 2018, 8:26am

Yeye, but in case of event logs?

kvch · August 14, 2018, 8:32am

For event logs you need Winlogbeat, which is a separate Beat. You can find the getting started guide here: https://www.elastic.co/guide/en/beats/winlogbeat/master/winlogbeat-getting-started.html

Badb0y · August 22, 2018, 8:51am

I've installed filebeat next to the winlogbeat now, so I'd like to send these logs:

from this directory:
Let's call this as a basedir: D:\httplogs\LogFiles\zip_archive

These logs:
'%BASEDIR%\www.sd.com\u*.log'
and if the logs:
if $raw_event =~ /^#/ drop();
just drop it

and in our old configuration it was:
$SourceName = 'web_return_code';

Here is the config actually that I want to replace.
https://pastebin.com/raw/eJx3vKQt

system · September 19, 2018, 8:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.