Send Logs from Winlogbeat through Logstash to ELK
Last updated
Last updated
I have successfully installed Elasticsearch and Kibana on an Ubuntu machine. Now, I would like to install Logstash on a separate Ubuntu machine.
Logstash needs a configuration file to tell it where to receive logs from and where to send them. So let's make a new one for Winlogbeat.
Replace the IP address, username, and password with your own credentials.
Before starting Logstash, let's check if the configuration is correct:
"Configuration OK", the config is good!
This command will parse the configuration files (including any files in /etc/logstash/conf.d/) and report any errors or warnings.
-t → It parses and validates all the configuration files (found in the directory specified by --path.settings, such as /etc/logstash) to check for syntax errors or misconfigurations, then exits once testing is complete. This is useful because it allows us to ensure the configuration is correct before we start processing events.
Now let's start and enable Logstash.
Next, we need to configure Logstash to listen for incoming data from Winlogbeat on port 5044.
When you run this command:
Logstash will start and load the configuration from /etc/logstash/conf.d/winlogbeat.conf.
It will begin listening for incoming data (from Winlogbeat on port 5044).
It will process the data according to the configuration and send it to the specified output ( Elasticsearch).
Let's verify if there are any issues.
This command displays the most recent 50 log lines from the Logstash service
Now we need to configure Winlogbeat to Send Logs to Logstash.
We need to replace with our Logstash machine's IP.
Next let's test the configuration:
Next, let's start the service:
Before sending logs, let's check the connection to the configured output (Logstash) is established.
This command verifies if Winlogbeat can successfully send logs to the configured destination.
Next, we need to run Winlogbeat using the winlogbeat.yml configuration file and shows real-time logs in the console.
.\winlogbeat.exe → Runs the Winlogbeat program to collect windows logs.
-c .\winlogbeat.yml → Uses the winlogbeat.yml file for configuration (tells Winlogbeat where to send logs, like Logstash).
-e → Shows log messages on the screen instead of saving them to a file.
We now need to confirm whether ELK successfully receives logs from Logstash.
From Stack Management → Index Management
Let's create an index and review the logs on the Discover page.
Winlogbeat acts as a log shipper, ensuring logs are collected useing Windows APIs and sent to a central location (Logstash) for further processing.
Winlogbeat is configured to monitor specific Windows Event Logs (Security, Application, System logs) based on the winlogbeat.yml file.
It reads the logs from the Windows Event Log service and packages them into structured JSON documents.
Winlogbeat then sends these JSON documents to Logstash (on port 5044).
Logstash is configured with a pipeline defined in /etc/logstash/conf.d/winlogbeat.conf
The pipeline has three main sections:
Input: Listens for incoming data from Winlogbeat on port 5044 using the Beats input plugin.
Filter (Optional)
Output: Sends the processed logs to Elasticsearch using the Elasticsearch output plugin.
Elasticsearch is the storage engine that indexes and makes logs searchable.
Elasticsearch receives the processed logs from Logstash.
Logs are mapped to specific fields (timestamp, event ID, source, etc).
The logs are indexed into a time-based index (e.g., winlogbeat-2025.2.7), making them searchable and analyzable.
Kibana provides the user interface to search, analyze, and visualize logs.
Kibana connects to Elasticsearch and retrieves the indexed logs.
It uses the index pattern ( winlogbeat-*) to query the logs.
We can create visualizations and dashboards to analyze the logs in real-time.
