[root@redes logstash]# logstash-plugin install logstash-input-eventlog
Validating logstash-input-eventlog
Installing logstash-input-eventlog
Error Bundler::InstallError, retrying 1/10
An error occurred while installing logstash-core (5.6.2), and Bundler cannot continue.
Make sure that gem install logstash-core -v '5.6.2' succeeds before bundling.
Request help to resolve
I can't help with the error, sorry, but as an alternative what about using Winlogbeat?
Hey Mark thanks for replying
Currently I have logs available in CSV.. XML ..EVTX format... I have tried with CSV filter however looks like not a very good option for windows logs ...because it contain valuable in formation in long messages..
currently I am exploring XML filter and, eventlog plugin(which looks very simple to implement)
not sure if I get permission to install winlogbeat... are u experienced in installing winlogbeat.
I mean how's you experience with winlogbeat.
It's pretty easy to install and get working, check out https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-getting-started.html
I trying to load winlogbeat however unable to start service and got below error.
PS C:\Program Files\winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -configtest -e
.\winlogbeat.exe : 2017/10/03 12:33:22.287733 metrics.go:23: INFO Metrics logging every 30s
At line:1 char:2
+ CategoryInfo : NotSpecified: (2017/10/03 12:3...gging every 30s:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
2017/10/03 12:33:22.287733 beat.go:297: INFO Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\Program Files\winlogbeat\data] Logs
path: [C:\Program Files\winlogbeat\logs]
2017/10/03 12:33:22.289736 beat.go:192: INFO Setup Beat: winlogbeat; Version: 5.6.2
2017/10/03 12:33:22.289736 output.go:258: INFO Loading template enabled. Reading template file: C:\Program Files\winlogbeat\winlogbeat.template.json
2017/10/03 12:33:22.290736 output.go:269: INFO Loading template enabled for Elasticsearch 2.x. Reading template file: C:\Program Files\winlogbeat\winlogbeat.template-es2x.json
2017/10/03 12:33:22.290736 output.go:281: INFO Loading template enabled for Elasticsearch 6.x. Reading template file: C:\Program Files\winlogbeat\winlogbeat.template-es6x.json
2017/10/03 12:33:22.290736 client.go:128: INFO Elasticsearch url: http://XXXXXXX:9200
2017/10/03 12:33:22.290736 outputs.go:108: INFO Activated elasticsearch as output plugin.
2017/10/03 12:33:22.290736 publish.go:300: INFO Publisher name: XXXXXXX028s
2017/10/03 12:33:22.293734 async.go:63: INFO Flush Interval set to: 1s
2017/10/03 12:33:22.293734 async.go:64: INFO Max Bulk Size set to: 50
2017/10/03 12:33:22.293734 beat.go:346: CRIT Exiting: Error reading configuration file. 1 error: Invalid top-level key 'template' found. Valid keys are bulk_queue_size, dashboards,
fields, fields_under_root, geoip, logging, max_procs, name, output, path, processors, queue_size, refresh_topology_freq, tags, topology_expire, winlogbeat accessing config
Exiting: Error reading configuration file. 1 error: Invalid top-level key 'template' found. Valid keys are bulk_queue_size, dashboards, fields, fields_under_root, geoip, logging,
max_procs, name, output, path, processors, queue_size, refresh_topology_freq, tags, topology_expire, winlogbeat accessing config
Please post your config, make sure to format it with the </> button so it is readable.
Hi Mark, I was able to push windows logs to logstash and then to Elastic search and Kibana.. 
currently working on to create dashboard in kibana
will look in to above errors in coming week.
thanks...
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.