Uploading Event Logs

Does anyone know how to upload Windows Event Logs to my Linux VM?

Have you had a look at Winlogbeat?

Yes, had some issues - I reinstalled and this is my configuration file:
#======================= Winlogbeat specific options ==========================

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["IP:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

For some reason nothing is coming up in Kibana

What does your Logstash config look like?

Is logstash-nginx.es.conf file meant to be in the /logstash/conf.d?
I have:
02-beats:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

10-syslog

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

30-elasticsearch

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

What do those config files look like?

I just edited my last response

It seems you have SSL configured for the beats input but not for Winlogbeat. Can you try and disable SSL in the beats input to see if this allows data to flow? Is there anything in the Winlogbeat logs?

I am taking it by disabling SSL you mean either delete or comment it out or do you mean set ssl => False?

Yes.

So this is the config file now:

input {
  beats {
    port => 5044
   # ssl => true
   # ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
   # ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

There are no logs in the winlogbeat file. Last attempt I had at winlogbeats it had a log file, but now that I reinstalled everything, it doesnt create one.

Do you happen to have any good tutorials for installing Beats in Linux so that I can forward Event Logs?
I have tried many but I always end up having to mix them otherwise it doesn't work.

Winlogbeat will need to run on a Windows box as it is Windows specific.

I am running on a windows box.
I've been having issues forwarding these logs for days. Do you know any good tutorials out there for setting Beats up ?

Any clues to why it isnt producing a log file?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.