Winlogbeats - Test message

Has anyone had any success sending a test message to a beats input to emulate a windows message coming in? (preferably via powershell) Once again my google-fu is failing. Example meta-code:

$> netcat-send-message -message "This is my test message" -server graylogOne:5044

netcat-send-message is not a real command I am making the whole thing up… hoping its a simple command like this.

Ill look into tonight 4 ya,

NOTE: did you know that 500 10TB HDD spinning at 10K rpm sounds like a 747 jet :laughing: True story.


I should have put in there that I am writing a Powershell script to test out windows event_ID’s and their alerts - I just need a command to insert a test event into winlogbeat with the relevant event_id’s.


This was tedious,
Windows does not have netcat BUT I did find this, for testing. I isolated this software just incase it was shady.

Once downloaded you have to navigate to the NCAP folder C:\Program Files (x86)\ncap
and execute something like this

.\ncat.exe -z "This is my test message" -server "" -p 5044

I couldn’t get it to work.

Next, Telnet
Had to enable it through Add programs and Feature

I was also unable to get this to work. Perhaps you may have better luck
The following PS commands were tried without success.

  • Write-EventLog
  • Invoke-Command
  • Test-Connection
  • Test-Path

I looked here
And here

Then :smiley:

PS> net send {username | message

PS> msg message "hello"

Lastly I think maybe something like this

PS> echo ‘First CLI Log Message!’ | nc -N 5044


1 Like


I tried, only way I see that happing is to use a third party app.
I did make some success by using this command and picking it up with a shipper.

PS C:\Users\greg.smith> "This will be written to the text file" | Out-File -FilePath C:\Users\greg.smith\Desktop\helping.txt

I am curious if you do solve this…

Further thoughts … There is an expectation of the server_api_token in the communication… I just don’t know how to express it… First try:

curl -v -H "Authorization: ApiKey " http://:5044/beats -p0 -d ‘{“message”:“Texas Two Steps forward”}’

I am debating just creating a filebeat instance on a test machine and dumping one-liners to be caught in there…if I process each line to include event_ID field and any other relevant information I can adjust the input and pipelines to consider data coming from filebeat as well… It’s not a pretty situation though - I would prefer to create a powershell script that perhaps asks for your API_KEY and a server to shunt messages to for testing. Originally I was creating powershell commands that would actively change AD but that is riskier… better to just push a message into Graylog somehow that looks like a security message from Windows and sets off the alert for testing…

I might have to ask for some developer help… What IS that Beats input expecting to see so it can do it’s magic!?!

I went here to get help about 4 -5 years ago.

If your going to do that, use GELF Output on Windows it will create a field called EventID


Not sure if FileBeat can do that but I know nxlog can. If you decide to go that route I have the config here

I can make it a filebeat on whatever machine I am testing from, then use Powershell to just insert a message line to the text file - that way I can manage powershell permissions across the testing environment and it will come in on the same input–>stream.

Oh gotcha, sorry @tmacgbay

I am having fun putting it together - will post it to Github when it is cleaned up and ready!

Nice :+1: , I will keep my eye out for it…

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.