Installing Winlogbeat and Logstash on a Windows host

To retrieve Winlogbeat JSON formatted events in QRadar®, you must install Winlogbeat and Logstash on your Microsoft Windows host.

Before you begin

Ensure that you are using the Oracle Java™ Development Kit V8 for Windows x64 and later.


  1. Install Winlogbeat 7.7 by using the default values. For more information, see Getting Started With Winlogbeat (
  2. Start the Winlogbeat service.
    Note: For Windows services, the service name is Winlogbeat. After installation, the service is set to STOPPED, and then must be started for the first time. Any configuration changes beyond this point require a service restart.
  3. Optional. For more flexibility when you configure Winlogbeat, see Set up Winlogbeat (
  4. Install Logstash by downloading the package and saving it to a file location of your choice.
  5. To ensure that Winlogbeat communicates properly with QRadar, see Configure Winlogbeat to use Logstash (
    The following basic sample configuration file can be used in the <logstash_install_directory>/config file.
    	input {	 beats {	    port => 5044	  }	}	output {	  tcp {	    host => [""]	    port => 514	    mode => "client"	    codec => "json_lines"	  }	  stdout { codec => rubydebug }	}
    • If you are using rubydebug, debugging must be enabled in the logstash.yml file. Uncomment the line # log.level: info, and replace info with debug. Restarting the service is required after any configuration changes.
    • The codec in output must be set to json_lines to ensure that each event is sent separately to QRadar.
    • If you want to send Kafka output to an existing Kafka server, see Configure the Kafka output (
  6. Ensure that Logstash is set up correctly by verifying that the config file for Logstash is working. Run the following command from the Logstash bin directory:
    logstash --config.test_and_exit -f <path_to_config_file>
  7. Ensure that Winlogbeat is configured correctly.
    1. Verify that the config file is working by running the following command from the winlogbeat directory:
      ./winlogbeat test config
    2. Verify that Winlogbeat can access the Logstash server by running the following command from the winlogbeat directory:
      ./winlogbeat test output

      If the output of the ./winlogbeat test output command is successful, it might break any existing connection to Logstash. If the connection breaks, restart the Logstash service.

What to do next

Add a log source in QRadar and use the parameters that are listed in Microsoft Windows Security Event Log log source parameters.