Integrating the Windows OS Events Insight Pack with logstash

Configuring logstash on Windows allows Windows OS events to be forwarded to IBM® Operations Analytics - Log Analysis.

1. On the target Windows Server ensure that logstash is not running. For information on how to stop logstash, see the section Stopping logstash in the IBM Operations Analytics - Log Analysis Knowledge Center.
2. Make a backup of the <logstash Location>\lstoolkit\logstash\config\logstash-scala.conf file.
3. On the IBM Operations Analytics - Log Analysis server, copy the logstash-scala.conf file to the target Windows Server.

   The logstash-scala.conf file is located in the directory that Windows OS Events Insight Pack is installed in.

   The location of the Windows OS Events Insight Pack can be determined by using the pkg_mgmt.sh command:

   <HOME>/IBM/LogAnalysis/utilities/pkg_mgmt.sh -list

4. On the Windows Server place the logstash-scala.conf file in the location <logstash Location>\lstoolkit\logstash\config. This overwrites the existing version.
5. On the Windows server ensure that logstash eif output module is configured to send data to the IBM Operations Analytics - Log Analysis server.
6. On the Windows server check that the values of the output module in the new logstash-scala.conf file match that of the backed up copy. This check is needed if you have specified a non-standard location for the eif output module.
7. On the target Windows Server start logstash. For information on how to start logstash, see the section Starting logstash in the IBM Operations Analytics - Log Analysis Knowledge Center.