Windows Event Log connector with Logstash

RemyB · February 14, 2024, 12:59pm

Hello all,

I would like to thank you in advance for your time reading my following issue :
In order to install the windows integrations (Windows Event Logs/Windows) and benefit from the provided visualisations and the rules from Elastic Security, I'm trying to setup the integration by modifying the winlogbeat.yml in the Winlogbeat install directory by adding :

output.elasticsearch:
hosts: ["<es_url>"]
username: "elastic"
password: ""
setup.kibana:
host: "<kibana_url>"

However, we use Logstash between the winlogbeat (installed on WEF) and Elasticsearch and I could not figure out which setup to implement making the log appearing in the stream and from the connector.

Does the setup need to be the same when Logstash is used ? Is it going to duplicate the events by adding output.elasticsearch in the winlogbeat config ?

Thank you in advance for your help on this and sorry if the subject has been treated yet in the portal.

Regards,

Remy

leandrojmp · February 14, 2024, 1:07pm

All beats only support one output, so if you need Logstash between your beat and Elasticsearch, then you need to configure the Logstash output.

Check this documentation with the steps to configure the Logstash output.

system · March 13, 2024, 1:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.