Logstash Pipeline config for Winlogbeat, Auditbeat, Filebeat and Metricbeat

OpenSearch
1

Versions :
Opensearch v2.13.0
Ubuntu 22.04 (Virtual Machine in Windows 11)
Auditbeat, Filebeat v8.13.4
Winlogbeat, Metricbeat v8.15.1

Describe the issue:
I am using a data stream including Auditbeat/Filebeat → Logstash → Opensearch. Now I want to also include Winlogbeat so I installed Winlogbeat in my Windows with this config:

image
image974×97 2.51 KB
h
which points to my Logstash place in the Virtual Machine.
But now when I try to config the Logstash pipelines.yml with added Winlogbeats, it doesn’t push the logs into Opensearch anymore, even Auditbeat and Filebeat

Configuration:
This is the old output config in Logstash for Auditbeat and Filebeat which works fine:

image
image486×519 8.06 KB

And this is the current output config that doesn’t work:

image
image496×734 12.1 KB

All the beats are still running so I think this config is the main reason.

Thanks for your help in advance.

2

Hi @gray653 ,

Could you please share your Logstash input configurations and winlogbeat.yml file?

Also, I would check if your port and ip are reachable. To do that, you can execute the following command:

curl -v telnet://<ip-address>:<port>

3

Hi @gray653 ,

Have you tried using just the if [agent][type] == "winlogbeat" statement and removing the others?

4

Thanks for your time
I managed to solve the problem, it might just be some syntax error. I brought the file to vscode to have better view and rewrite it and it works just fine.

1 Like