This guide walks you through setting up Winlogbeat on a Windows 10 VM to collect Windows Event Logs and send them to your Logstash + Elasticsearch setup.
✅ Tested with Winlogbeat 9.0.0 and ELK Stack 8.17.4
Before configuring Winlogbeat, create a dedicated Windows 10 virtual machine using VirtualBox, VMware, or any hypervisor.
🔹 Minimum requirements:
- 2 GB RAM
- 2 CPU cores
- Bridged or NAT Network (accessible to Ubuntu/ELK VM)
- Enable file sharing or internet access to download Winlogbeat
- Download the
.zipversion of Winlogbeat. - Extract the contents (e.g.,
winlogbeat-9.0.0-windows-x86_64.zip) to:
C:\Users\<YourName>\Desktop\winlogbeat-9.0.0-windows-x86_64
Edit the file winlogbeat.yml:
output.logstash:
hosts: ["192.168.1.10:5044"]📌 Replace
192.168.1.10with the IP address of your Ubuntu/Logstash VM.
# output.elasticsearch:
# hosts: ["localhost:9200"]Open PowerShell and navigate to the extracted folder:
.\winlogbeat.exe test output✅ Output should show:
connection... OK
talk to server... OK
Run Winlogbeat in real-time to confirm event log transmission:
.\winlogbeat.exe -e📤 Logs will begin to flow to Logstash if everything is working.
Ensure your Logstash config can accept Winlogbeat logs.
input {
beats {
port => 5044
}
}
filter {
if "winlogbeat" in [agent][name] {
mutate {
add_field => { "source_type" => "windows_event_log" }
}
}
}
output {
if "winlogbeat" in [agent][name] {
elasticsearch {
hosts => ["https://localhost:9200"]
user => "elastic"
password => "your_password"
ssl_enabled => true
ssl_verification_mode => "full"
ssl_certificate_authorities => ["/path/to/http_ca.crt"]
index => "winlogbeat-events"
}
stdout { codec => rubydebug }
}
}
🔁 Restart Logstash to apply changes.
- Go to Kibana > Stack Management > Data Views
- Create a new Data View:
Pattern: winlogbeat-events
- Go to Discover and select your new Data View to inspect logs.
All referenced images should be stored in:
/images/05-integrate-winlogbeat