• Download the Filebeat Windows zip file from the official downloads page.

  • Extract the contents of the zip file into C:\Program Files.

  • Rename the filebeat-<version>-windows directory to Filebeat.

  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.

  • Run the following commands to install Filebeat as a Windows service:

    PS > cd 'C:\Program Files\Filebeat'
    PS C:\Program Files\Filebeat> .\install-service-filebeat.ps1`
      If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1.

Locate the configuration file

Open C:\Program Files\Filebeat\filebeat.yml

Configure the inputs

Setup the data you wish to send us, by editing the prospector path variables.
These fully support wildcards. You can also add a document type.
An example with nginx logs might look like


- type: log
  enabled: true
    - C:\inetpub\logs\LogFiles\*\*
    type: iis
  fields_under_root: true
  encoding: utf-8
  exclude_lines: ["^#"]
  exclude_files: [".zip"]
  ignore_older: 24h
  There's also a full example configuration file called filebeat.reference.yml that shows all the possible options.

Configure output

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true

Validate configuration

Let's check the configuration file is syntactically correct.

Run from the extracted archive dir

filebeat -e -c filebeat.yml

Start filebeat

Ok, time to start ingesting data!

PS C:\Program Files\Filebeat> Start-Service filebeat