Sending Event Logs and Log Files

Is there anybody can help me, how to configure the winlogbeat to send these logs?

define BASEDIR D:\sdfdsfs\LogFiles\zip_archive File '%BASEDIR%\\u*.log' Module im_file File '%BASEDIR%\\u*.log' Module im_file File '%BASEDIR%\http_sys_logs\HTTPERR\h*.log'

How can I define this in the config yml?

I'm using 6.2.4 version and we would like to install winglobeat around 3000 servers but we should know how we can configure this.

Very appreciate any help.

The current config is basic like this:


  • name: Application
    ignore_older: 72h
  • name: Security
  • name: System
  • name: Specialeventlog
    hosts: ["server:5054"]

I'd like to extend this according to my table.

Where is that log coming from? What's the ID of that event?

I think you are trying to ingest a file to Elasticsearch. For that, use Filebeat. Winlogbeat only does Windows event logs. If you need to ingest both event logs and log files then install both Winlogbeat and Filebeat together on your Windows host.

Hi Noemi, I don't know yet, still waiting for the information from the team, but you are asking because if it has an id, it means it reports to one of the windows log so we can define it from the winevt directory and can filter after?

Yes, exactly, I want to ingest logs to elastic search. With filebeat for windows can ingest files and event logs as well? I just recognized we have filebeat for windows not only for linux.

Yes, you can use Filebeat on Windows to collect logs from files. The configuration is done the same way as on Linux.

How about the event logs?

You need Winlogbeat for that. So it means that you need to run two Beats in parallel; one Filebeat to collect log files and one Winlogbeat to collect event logs.

I haven't tried this yet, but how about this one:

If you only need to forward logs to an output, you should go with Filebeat. It's more lightweight than Logstash. Do you want to transform and/or use advanced filtering on your logs? If yes, choose Logstash.

I just want to send logs from event logs and from files.

Then I think you should stick with Filebeat. You just need to configure the path to the log files and set the output. See more here on how to configure Filebeat:
Getting started guide:

Yeye, but in case of event logs?

For event logs you need Winlogbeat, which is a separate Beat. You can find the getting started guide here:

I've installed filebeat next to the winlogbeat now, so I'd like to send these logs:

from this directory:
Let's call this as a basedir: D:\httplogs\LogFiles\zip_archive

These logs:
and if the logs:
if $raw_event =~ /^#/ drop();
just drop it

and in our old configuration it was:
$SourceName = 'web_return_code';

Here is the config actually that I want to replace.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.