Hi,

I have installed the winlogbeat 5.4 on a Windows Server 2016 machine. The servie is started. I have configured the ELK server this server is also running fine.

output.logstash:

The Logstash hosts

hosts: ["192.168.0.13:5044"]

Now I want to have a new indices in Kibana. So I configured as above the output via logstash.
This is now my logstash input /output configuration. How I have to do that now with the output. It doesn't work at the moment. I don't recieve anything at Kibana. I have also already tried "if [type] == "winlogbeat" but this is also not working.

input {
#  file {
#    path => "/tmp/in.log"
#    type => "logfile"  # a type to identify those logs (will need this later)
#    start_position => "beginning"
#   }
syslog {
    port => 5514
    type => "syslog"
}
udp {
    type => "pfsense"
    port => 5140
}
beats {
    type => "winlogbeat"
    port => 5044
}
udp {
    type => "syslog"
    port => 5515

}
}

output {
#  file {
#    path => "/tmp/out.log"
#  }
if [type] == "beats" {
    elasticsearch {
  hosts => "localhost:9200"
  index => "logstash-eventlog-%{YYYY.mm.dd}" }
  } else {
  elasticsearch {
     hosts => "localhost:9200"
     index => "logstash-%{+YYYY.MM.dd}"
   }
 }
#  if [@metadata][cthostmeta] == "ELKSTACK" {
#    file {
#       codec => rubydebug { metadata => true}
#       path => "/tmp/logstash_out.log"
#    }
#   }
}

Thanks for any help with that.

Best Regards,
Marc

Have you looked in the Logstash log? Is it receiving anything at all? You may have to increase the log level.

Hi Magnus,

I have reopened this topic in Winlogbeat: Can't create winlogbeat-*

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.