Sending Windows security logs to a different LogStash endpoint - multiple logstash endpoints


We have a requirement to send our security logs to a different LogStash endpoint - I've tried various configs in the WinLogBeat.yml file - but Im not sure if its possible.

I know on LogStash this is fairly easy to send to different ES endpoints/indices, but the same format doesnt seem to work in the WinLogBeat.yml - basically we want our inputs to be all logs, but to send the security logs specifically to a different LogStash endpoint.

Its fine if it duplicates and sends security logs to both - the only way I can currently see of achieving this is with 2 WinLogBeat instances, but was hoping to do it with just one.

Any help appreciated.

My best attempt was something like:

input {

  • name: Application
    fields: {log_type: Application}
  • name: Security
    fields: {log_type: Security}
  • name: System
    fields: {log_type: System}

filter {
if [fields][log_type] == "Security" {
- enabled: true
index: winsec

But of course this format is more for LogStash and not for yml and hence fails so didnt continue.

Hello, its not currently possible for Winlogbeat to send to more than one different output. There are a few ways to make it work:

  1. Start two winlogbeat, which is what you are doing.
  2. Send to a common logstash instance that will redirect the events to the others instances.
  3. Use a queues that two different logstash will read.

The first is probably the easiest solution.

1 Like

Hi Pier,

Thanks for confirming this for me and anyone else - I had fun trying to achieve the impossible with the Beats config regardless :smile:



This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.