Download and install Filebeat from [[https://www.elastic.co/downloads/beats/filebeat]]

Edit the filebeat.yml file:
  - Under **filebeat.prospectors** make the path the path to the directory containing the NPS log files (e.g //C:\Windows\System32\LogFiles\*//)
  - If there is a line **enabled: false** then change it to **true**.
  - Make sure that the **output.elasticsearch** output is commented out
  - Under **output.logstash** the key line is **hosts:["elk.govroam.uk:5044"]** which is where the logs will be sent.
  - Everything else in that section should be commented out.
  - Start/Restart the filebeat service.

This is the bare minimum for taking the logs from NPS and sending them to the Govroam log server. Get this working first before trying the encryption. 

**JISC will need to know the hostname/IP address of the system sending the logs (or the public IP from which the logs originate) so that the firewall can be updated.**

Adding encryption is pretty straightforward.
  - Under **output.logstash** add the line **ssl.enabled: true**
  - Change the port from **5044** to **5055**.

If you're using the hostname **elk.govroam.uk** and have a set of Root CAs installed (normally the default for the OS) then filebeat should just be able to enable encryption. Run it in command line mode to see any errors. See the [[https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html|official filebeat SSL guide]] for details.

====Experimental====

Suggested here:  https://discuss.elastic.co/t/logstash-xml-parse-with-meta-data/103687/6 for dealing with errors in logstash.


<code>
filebeat.prospectors:
- type: log
  paths:
    - /path/to/log
  encoding: 'windows-1252'
#  multiline.pattern: '^\<\?'
#  multiline.negate: true
#  multiline.match: after
  fields_under_root: true
</code>