Using Windows APIs, Winlogbeat tracks event logs such as application events, hardware events, security events, and system events), filters the events according to user instructions, and forwards the output to either Elasticsearch or Logstash. Logstash Filters Learn Logstash in simple and easy steps starting from basic to advanced concepts with examples including Introduction, ELK Stack, Installation, Internal Architecture, Collecting Logs, Supported Inputs, Parsing the Logs, Filters, Transforming the Logs, Output Stage, Supported Outputs, Plugins, Monitoring APIs, Security and Monitoring. So, your code will only work if the RAW data being sent is already in Json format before it hits logstash. I am using nxlog in windows server to send eventlogs to logstash. And the data being sent is formatted to JSON in output section. This input will pull events from a Windows Event Log. Note that Windows Event Logs are stored on disk in a binary format and are only accessible from the Win32 API. This means Losgtash needs to be running as an agent on Windows servers where you wish to collect logs from, and will not be accesible across the network. A Logstash grok filter to parse and tokenize the message field of Windows eventlog entries.

