To configure Winlogbeat, you edit the
winlogbeat.yml configuration file. See the
Config File Format section of the
Beats Platform Reference for more about the structure of the config file.
Here is a sample of the
winlogbeat.event_logs: - name: Application - name: Security - name: System output.elasticsearch: hosts: - localhost:9200 logging.to_files: true logging.files: path: C:/ProgramData/winlogbeat/Logs logging.level: info
To configure Winlogbeat:
event_logssection, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:
winlogbeat.event_logs: - name: Application - name: Security - name: System
To obtain a list of available event logs, run
Get-EventLog *in PowerShell. For more information about this command, see the configuration details for event_logs.name.
If you are sending output directly to Elasticsearch (and not using Logstash), set the IP address and port where Winlogbeat can find the Elasticsearch installation:
output.elasticsearch: hosts: - localhost:9200
If you are sending output to Logstash, make sure you Configure the Logstash output instead.
If you plan to use the sample Kibana dashboards provided with Winlogbeat, configure the Kibana endpoint:
setup.kibana: host: "localhost:5601"
hostis the hostname and port of the machine where Kibana is running, for example,
If you specify a path after the port number, you need to include the scheme and port:
If you’ve secured Elasticsearch and Kibana, you need to specify credentials in the config file before you run the commands that set up and start Winlogbeat. For example:
passwordsettings for Kibana are optional. If you don’t specify credentials for Kibana, Winlogbeat uses the
passwordspecified for the Elasticsearch output.
After you save your configuration file, test it with the following command.
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e