-1

I am working in a big company. One responsibility is to inform Network team. But they cannot understand ELK structure. They have a alert monitoring system that is working when our system is got stuck. They offer us to send logs from Logstash to windowsevent. We accepted it.

So I need to send logs by using Logstash output and grok filtering (query= level:"Error" and eventid="1796"). How can I send logs to Windows event (not from Windows event to Logstash) using Logstash and grok?

My Logstash config is:


input {
  file {
    type => "json"
    path => ["C:/Temp/logs/*.json"]
    start_position => "beginning"
    codec => "json"
    discover_interval => 120
    stat_interval => 60
    sincedb_write_interval => 60
    close_older => 60
  }
}
filter {
mutate {
    remove_field => [ "path" ] 

}
}
output {
    stdout {
        codec => rubydebug
    }
    
    
    
    elasticsearch {
       hosts => ["http://loguser:xxyyzz_2017@192.168.1.92:333"]
       index => "logstash-%{+YYYY.MM}"
    }
}
halfer
  • 19,824
  • 17
  • 99
  • 186
Penguen
  • 16,836
  • 42
  • 130
  • 205

1 Answers1

1

As of the date of this Answer, there is not a logstash output plugin for windows events. You could create a plugin of your own in ruby to do this. There should be sufficient documentation on creating output plugins online and there is documentation online on how to output to windows event login from ruby (Hint: https://rosettacode.org/wiki/Write_to_Windows_event_log#Ruby)

It looks like it might also be possible to use the pipe output to construct a command line (https://rosettacode.org/wiki/Write_to_Windows_event_log#Batch_File) that will log the event you need.

Alcanzar
  • 16,985
  • 6
  • 42
  • 59