Sending Windows security logs to a different LogStash endpoint - multiple logstash endpoints

Elastic Stack Beats
1

Hi,

We have a requirement to send our security logs to a different LogStash endpoint - I've tried various configs in the WinLogBeat.yml file - but Im not sure if its possible.

I know on LogStash this is fairly easy to send to different ES endpoints/indices, but the same format doesnt seem to work in the WinLogBeat.yml - basically we want our inputs to be all logs, but to send the security logs specifically to a different LogStash endpoint.

Its fine if it duplicates and sends security logs to both - the only way I can currently see of achieving this is with 2 WinLogBeat instances, but was hoping to do it with just one.

Any help appreciated.

My best attempt was something like:

input {
winlogbeat.event_logs:

  • name: Application
    fields: {log_type: Application}
  • name: Security
    fields: {log_type: Security}
  • name: System
    fields: {log_type: System}
    }

filter {
if [fields][log_type] == "Security" {
output.logstash:
hosts:
-
ssl:
- enabled: true
index: winsec
}
}

But of course this format is more for LogStash and not for yml and hence fails so didnt continue.

2

Hello, its not currently possible for Winlogbeat to send to more than one different output. There are a few ways to make it work:

  1. Start two winlogbeat, which is what you are doing.
  2. Send to a common logstash instance that will redirect the events to the others instances.
  3. Use a queues that two different logstash will read.

The first is probably the easiest solution.

1 Like
3

Hi Pier,

Thanks for confirming this for me and anyone else - I had fun trying to achieve the impossible with the Beats config regardless :smile:

KR,

J

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.