Step 2: Configure Winlogbeatedit

To configure Winlogbeat, you edit the winlogbeat.yml configuration file. See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.

Here is a sample of the winlogbeat.yml file:

winlogbeat.event_logs:
  - name: Application
  - name: Security
  - name: System

output.elasticsearch:
  hosts:
    - localhost:9200

logging.to_files: true
logging.files:
  path: C:/ProgramData/winlogbeat/Logs
logging.level: info

To configure Winlogbeat:

  1. In the event_logs section, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:

    winlogbeat.event_logs:
      - name: Application
      - name: Security
      - name: System

    To obtain a list of available event logs, run Get-EventLog * in PowerShell. For more information about this command, see the configuration details for event_logs.name.

  2. If you are sending output directly to Elasticsearch (and not using Logstash), set the IP address and port where Winlogbeat can find the Elasticsearch installation:

    output.elasticsearch:
      hosts:
        - localhost:9200

    If you are sending output to Logstash, make sure you Configure the Logstash output instead.

  3. If you plan to use the sample Kibana dashboards provided with Winlogbeat, configure the Kibana endpoint:

    setup.kibana:
      host: "localhost:5601"

    Where host is the hostname and port of the machine where Kibana is running, for example, localhost:5601.

    Note

    If you specify a path after the port number, you need to include the scheme and port: http://localhost:5601/path.

  4. If you’ve secured Elasticsearch and Kibana, you need to specify credentials in the config file before you run the commands that set up and start Winlogbeat. For example:

    output.elasticsearch:
      hosts: ["myEShost:9200"]
      username: "filebeat_internal"
      password: "{pwd}" 
    setup.kibana:
      host: "mykibanahost:5601"
      username: "my_kibana_user"  
      password: "{pwd}"

    This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.

    The username and password settings for Kibana are optional. If you don’t specify credentials for Kibana, Winlogbeat uses the username and password specified for the Elasticsearch output.

    If you are planning to set up the Kibana dashboards, the user must have the kibana_user built-in role or equivalent privileges.

    For more information, see Securing Winlogbeat.

  5. After you save your configuration file, test it with the following command.

    PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e