Working with filebeat and Winlogbeat at the same time

WarriorHarb · April 3, 2019, 1:37pm

Hello,
So i had configured Filebeat to forward data to Logstash via port 5044 and data has to go through Grok filter (that contains a drop condition )

if "_grokparsefailure" in [tags] {
	drop {}
	}

it is working fine , and data that correspond to my format was parsed to fields, non conforming formats were dropped.
Now i added Winlogbeat and made it forward data to logstash via the same port 5044 but i receive nothing in winlogbeat when i check in Kibana. My best guess is they are being dropped by my grok filter.
So is there a way to make it skip the grok filter like making it forward data through a seperate port or something.
Any help will be apperciated.

WarriorHarb · April 4, 2019, 9:20am

I solved it for who ever crossed this problem , here is the solution :
-use one port for both winlogbeat and filebeat (they will be tagged automatically )
-in the filter section :

filter {
		if "wineventlog" in [type]{ }
		if "wineventlog" not in [type]{
            *your grok filter here with the drop condition and all* } }

Hope this would be helpful.

system · May 2, 2019, 9:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.