Module 23 - Azure Sentinel - Send Events with Filebeat and Logstash

Filebeat Logstash to Azure Sentinel

In this new post we are going to explore how to send events/logs to Azure Sentinel using Filebeat and Logstash.

How to install and Configure Filebeat:

Filebeat can be downloaded from here:

To install filebeat run the following commands (on Ubuntu 18 in my case)

wget -qO - | sudo apt-key add -
echo "deb stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list 
sudo apt update
sudo apt install filebeat

Filebeat comes with some available log modules such as the following modules

For example, let's enable the system module:

sudo filebeat modules enable system

Edit the config file:

sudo vi /etc/filebeat/filebeat.yml

Comment Elasticsearch Output section and uncomment Logstash output:

Start Filebeat

sudo service filebeat start

To check its status type:

sudo service filebeat status

How to install and Configure Logstash

Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite "stash." (Source:

Logstash can be downloaded from here:

sudo apt install -y openjdk-8-jdk
sudo apt-get install logstash

Enter /etc/logstash/conf.d/

cd /etc/logstash/conf.d/

Create a new config file:

sudo vi Azure-Sentinel.conf

add the folllowing content

input {
      beats {
          port => "5044"
  filter {
  output {
      microsoft-logstash-output-azure-loganalytics {
        workspace_id => "<your workspace id>"
        workspace_key => "<your workspace key>"
        custom_log_table_name => "tableName"

More configurations can be found here:

Start logstash

sudo service logstash start

Now you can query events by selecting the table name