Winlogbeat (Windows 7) - Events arriving at Logstash Input but not appearing in Kibana #15459

nismanidesysoldan · 2026-02-04T19:56:29Z

nismanidesysoldan
Feb 4, 2026

Version

2.4.200

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

32

Storage for /

100

Storage for /nsm

50

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi everyone,

I'm having trouble configuring Winlogbeat on a Windows 7 machine. I'm new to Security Onion and I'm running into an issue I can't quite figure out.

I found a similar discussion that describes almost the exact same behavior:

#13962

Current Status: I managed to get the installed Winlogbeat to send events. I have confirmed that traffic is passing through the firewall, and I can see the packets arriving at the interface via tcpdump. On the Winlogbeat side, I don't see any errors in the logs anymore (connection is established).

However, I cannot see any logs in Kibana or the Dashboards.

Environment:

OS: Windows 7

Agent: Winlogbeat 7.17.16 (downloaded from the Elastic site, as this is the last version supporting Windows 7).

I couldn't find specific documentation in SO regarding this legacy setup. Reading the official Elastic documentation is a bit confusing as it assumes a standard Elastic stack architecture, which differs from the Security Onion architecture.

Following the advice from the discussion linked above, I checked so-logstash-pipeline-stats manager. I can see the event counter increasing in the inputs, so I understand the events are effectively reaching Logstash.

The Issue: Even though the stats show events coming in (and going out of the manager pipeline), I still don't see them in Kibana.

What else should I check?

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

cm-ops · 2026-02-06T19:47:55Z

cm-ops
Feb 6, 2026
Maintainer

What port are you using for WLB? 5044?

1 reply

nismanidesysoldan Feb 18, 2026
Author

yes, im using that port

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Winlogbeat (Windows 7) - Events arriving at Logstash Input but not appearing in Kibana #15459

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Winlogbeat (Windows 7) - Events arriving at Logstash Input but not appearing in Kibana #15459

Uh oh!

nismanidesysoldan Feb 4, 2026

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 1 reply

Uh oh!

cm-ops Feb 6, 2026 Maintainer

Uh oh!

nismanidesysoldan Feb 18, 2026 Author

nismanidesysoldan
Feb 4, 2026

Replies: 1 comment 1 reply

cm-ops
Feb 6, 2026
Maintainer

nismanidesysoldan Feb 18, 2026
Author