Send Logs from Winlogbeat through Logstash to ELK

I have successfully installed Elasticsearch and Kibana on an Ubuntu machine. Now, I would like to install Logstash on a separate Ubuntu machine.

sudo apt update && sudo apt install logstash -y

Logstash needs a configuration file to tell it where to receive logs from and where to send them. So let's make a new one for Winlogbeat.

sudo nano /etc/logstash/conf.d/winlogbeat.conf

Replace the IP address, username, and password with your own credentials.

Before starting Logstash, let's check if the configuration is correct:

sudo /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t

"Configuration OK", the config is good!

This command will parse the configuration files (including any files in /etc/logstash/conf.d/) and report any errors or warnings.

  • -t → It parses and validates all the configuration files (found in the directory specified by --path.settings, such as /etc/logstash) to check for syntax errors or misconfigurations, then exits once testing is complete. This is useful because it allows us to ensure the configuration is correct before we start processing events.

Now let's start and enable Logstash.

sudo systemctl start logstash.service
sudo systemctl enable logstash.service
sudo systemctl status logstash.service

Next, we need to configure Logstash to listen for incoming data from Winlogbeat on port 5044.

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/winlogbeat.conf

When you run this command:

  1. Logstash will start and load the configuration from /etc/logstash/conf.d/winlogbeat.conf.

  2. It will begin listening for incoming data (from Winlogbeat on port 5044).

  3. It will process the data according to the configuration and send it to the specified output ( Elasticsearch).

Let's verify if there are any issues.

sudo journalctl -u logstash --no-pager --lines=50

This command displays the most recent 50 log lines from the Logstash service

Now we need to configure Winlogbeat to Send Logs to Logstash.

.\notepad.exe 'C:\Program Files\Winlogbeat\winlogbeat.yml'

We need to replace with our Logstash machine's IP.

Next let's test the configuration:

.\winlogbeat.exe test config -c .\winlogbeat.yml

Next, let's start the service:

Start-Service winlogbeat
Get-service winlogbeat

Before sending logs, let's check the connection to the configured output (Logstash) is established.

.\winlogbeat.exe test output

This command verifies if Winlogbeat can successfully send logs to the configured destination.

Next, we need to run Winlogbeat using the winlogbeat.yml configuration file and shows real-time logs in the console.

.\winlogbeat.exe -c .\winlogbeat.yml -e

  • .\winlogbeat.exe → Runs the Winlogbeat program to collect windows logs.

  • -c .\winlogbeat.yml → Uses the winlogbeat.yml file for configuration (tells Winlogbeat where to send logs, like Logstash).

  • -e → Shows log messages on the screen instead of saving them to a file.

We now need to confirm whether ELK successfully receives logs from Logstash.

From Stack Management → Index Management

Let's create an index and review the logs on the Discover page.

HOSTNAME.EXE

Summary:

Winlogbeat acts as a log shipper, ensuring logs are collected useing Windows APIs and sent to a central location (Logstash) for further processing.

  • Winlogbeat is configured to monitor specific Windows Event Logs (Security, Application, System logs) based on the winlogbeat.yml file.

  • It reads the logs from the Windows Event Log service and packages them into structured JSON documents.

  • Winlogbeat then sends these JSON documents to Logstash (on port 5044).

Logstash is configured with a pipeline defined in /etc/logstash/conf.d/winlogbeat.conf

  • The pipeline has three main sections:

    1. Input: Listens for incoming data from Winlogbeat on port 5044 using the Beats input plugin.

    2. Filter (Optional)

    3. Output: Sends the processed logs to Elasticsearch using the Elasticsearch output plugin.

Elasticsearch is the storage engine that indexes and makes logs searchable.

  • Elasticsearch receives the processed logs from Logstash.

  • Logs are mapped to specific fields (timestamp, event ID, source, etc).

  • The logs are indexed into a time-based index (e.g., winlogbeat-2025.2.7), making them searchable and analyzable.

Kibana provides the user interface to search, analyze, and visualize logs.

  • Kibana connects to Elasticsearch and retrieves the indexed logs.

  • It uses the index pattern ( winlogbeat-*) to query the logs.

  • We can create visualizations and dashboards to analyze the logs in real-time.

PreviousSet up Winlogbeat & Filebeat for log collectionNextEnable Windows Audit Policy & Winlogbeat

Last updated