Winlogbeat command referenceedit

Winlogbeat provides a command-line interface for starting Winlogbeat and performing common tasks, like testing configuration files and loading dashboards.

The command-line also supports global flags for controlling global behaviors.

Commands

export

Exports the configuration, index template or a dashboard to stdout.

help

Shows help for any command.

keystore

Manages the secrets keystore.

run

Runs Winlogbeat. This command is used by default if you start Winlogbeat without specifying a command.

setup

Sets up the initial environment, including the index template, Kibana dashboards (when available), and machine learning jobs (when available).

test

Tests the configuration.

version

Shows information about the current version.

Also see Global flags.

export commandedit

Exports the configuration, index template or a dashboard to stdout. You can use this command to quickly view your configuration, see the contents of the index template or export a dashboard from Kibana.

SYNOPSIS

winlogbeat export SUBCOMMAND [FLAGS]

SUBCOMMANDS

config
Exports the current configuration to stdout. If you use the -c flag, this command exports the configuration that’s defined in the specified file.
dashboard

Exporting a dashboard allows to store a dashboard on disk in a module and load it automatically. The following command can be used:

winlogbeat export dashboard --id="dashboard-id" > dashboard.json

The dashboard-id can be found in the Kibana URL. By default export dashboard will write the dashboard to stdout. Above it’s written into dashboard.json so it can later imported again. The file contains the dashboard with all visualizations and searches. The index pattern is removed as it is expected to be loaded separately for Winlogbeat.

The generated dashboard.json file can be copied into the kibana/6/dashboard directory of winlogbeat and next time winlogbeat setup dashboards is run the dashboard will be imported.

In case Kibana is not running on localhost:5061 the Winlogbeat configuration under setup.kibana must be adjusted.

template
Exports the index template to stdout. You can specify the --es.version and --index flags to further define what gets exported.

FLAGS

--es.version VERSION
When specified along with template, exports an index template that is compatible with the specified version.
-h, --help
Shows help for the export command.
--index BASE_NAME
When specified along with template, sets the base name to use for the index template. If this flag is not specified, the default base name is winlogbeat.

Also see Global flags.

EXAMPLES

winlogbeat export config
winlogbeat export template --es.version 6.4.3 --index myindexname

help commandedit

Shows help for any command. If no command is specified, shows help for the run command.

SYNOPSIS

winlogbeat help COMMAND_NAME [FLAGS]
COMMAND_NAME
Specifies the name of the command to show help for.

FLAGS

-h, --help
Shows help for the help command.

Also see Global flags.

EXAMPLE

winlogbeat help export

keystore commandedit

Manages the secrets keystore.

SYNOPSIS

winlogbeat keystore SUBCOMMAND [FLAGS]

SUBCOMMANDS

add KEY
Adds the specified key to the keystore. Use the --force flag to overwrite an existing key. Use the --stdin flag to pass the value through stdin.
create
Creates a keystore to hold secrets. Use the --force flag to overwrite the existing keystore.
list
Lists the keys in the keystore.
remove KEY
Removes the specified key from the keystore.

FLAGS

--force
Valid with the add and create subcommands. When used with add, overwrites the specified key. When used with create, overwrites the keystore.
--stdin
When used with add, uses the stdin as the source of the key’s value.
-h, --help
Shows help for the keystore command.

Also see Global flags.

EXAMPLES

winlogbeat keystore create
winlogbeat keystore add ES_PWD
winlogbeat keystore remove ES_PWD
winlogbeat keystore list

see Secrets keystore for more examples.

run commandedit

Runs Winlogbeat. This command is used by default if you start Winlogbeat without specifying a command.

SYNOPSIS

winlogbeat run [FLAGS]

Or:

winlogbeat [FLAGS]

FLAGS

-N, --N
Disables the publishing of events to the defined output. This option is useful only for testing Winlogbeat.
--cpuprofile FILE
Writes CPU profile data to the specified file. This option is useful for troubleshooting Winlogbeat.
-h, --help
Shows help for the run command.
--httpprof [HOST]:PORT
Starts an http server for profiling. This option is useful for troubleshooting and profiling Winlogbeat.
--memprofile FILE
Writes memory profile data to the specified output file. This option is useful for troubleshooting Winlogbeat.
--setup

Loads the initial setup, including Elasticsearch template, Kibana index pattern, Kibana dashboards and Machine learning jobs. If you want to use the command without running Winlogbeat, use the setup command instead.

Also see Global flags.

EXAMPLE

winlogbeat run -e --setup

Or:

winlogbeat -e --setup

setup commandedit

Sets up the initial environment, including the index template, Kibana dashboards (when available), and machine learning jobs (when available)

  • The index template ensures that fields are mapped correctly in Elasticsearch.
  • The Kibana dashboards make it easier for you to visualize Winlogbeat data in Kibana.
  • The machine learning jobs contain the configuration information and metadata necessary to analyze data for anomalies.

Use this command instead of run --setup when you want to set up the environment without actually running Winlogbeat and ingesting data.

SYNOPSIS

winlogbeat setup [FLAGS]

FLAGS

--dashboards
Sets up the Kibana dashboards only. This option loads the dashboards from the Winlogbeat package. For more options, such as loading customized dashboards, see Importing Existing Beat Dashboards in the Beats Developer Guide.
-h, --help
Shows help for the setup command.
--machine-learning
Sets up machine learning job configurations only.
--template
Sets up the index template only.

Also see Global flags.

EXAMPLE

winlogbeat setup --dashboards

test commandedit

Tests the configuration.

SYNOPSIS

winlogbeat test SUBCOMMAND [FLAGS]

SUBCOMMANDS

config
Tests the configuration settings.
output
Tests that Winlogbeat can connect to the output by using the current settings.

FLAGS

-h, --help
Shows help for the test command.

Also see Global flags.

EXAMPLE

winlogbeat test config

version commandedit

Shows information about the current version.

SYNOPSIS

winlogbeat version [FLAGS]

FLAGS

-h, --help
Shows help for the version command.

Also see Global flags.

EXAMPLE

winlogbeat version

Global flagsedit

These global flags are available whenever you run Winlogbeat.

-E, --E "SETTING_NAME=VALUE"

Overrides a specific configuration setting. You can specify multiple overrides. For example:

winlogbeat -E "name=mybeat" -E "output.elasticsearch.hosts=['http://myhost:9200']"

This setting is applied to the currently running Winlogbeat process. The Winlogbeat configuration file is not changed.

-c, --c FILE
Specifies the configuration file to use for Winlogbeat. The file you specify here is relative to path.config. If the -c flag is not specified, the default config file, winlogbeat.yml, is used.
-d, --d SELECTORS
Enables debugging for the specified selectors. For the selectors, you can specify a comma-separated list of components, or you can use -d "*" to enable debugging for all components. For example, -d "publish" displays all the "publish" related messages.
-e, --e
Logs to stderr and disables syslog/file output.
--path.config
Sets the path for configuration files. See the Directory layout section for details.
--path.data
Sets the path for data files. See the Directory layout section for details.
--path.home
Sets the path for miscellaneous files. See the Directory layout section for details.
--path.logs
Sets the path for log files. See the Directory layout section for details.
--strict.perms
Sets strict permission checking on configuration files. The default is -strict.perms=true. See Config file ownership and permissions in the Beats Platform Reference for more information.
-v, --v
Logs INFO-level messages.