To configure Winlogbeat, you edit the
winlogbeat.yml configuration file. See the
Config File Format section of the
Beats Platform Reference for more about the structure of the config file.
Here is a sample of the
winlogbeat.event_logs: - name: Application - name: Security - name: System output.elasticsearch: hosts: - localhost:9200 logging.to_files: true logging.files: path: C:/ProgramData/winlogbeat/Logs logging.level: info
To configure Winlogbeat:
event_logssection, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:
winlogbeat.event_logs: - name: Application - name: Security - name: System
To obtain a list of available event logs, run
Get-EventLog *in PowerShell. For more information about this command, see the configuration details for event_logs.name.
Configure the output. Winlogbeat supports a variety of outputs, but typically you’ll either send events directly to Elasticsearch, or to Logstash for additional processing.
To send output directly to Elasticsearch (without using Logstash), set the location of the Elasticsearch installation:
If you’re running Elasticsearch on your own hardware, set the host and port where Winlogbeat can find the Elasticsearch installation. For example:
output.elasticsearch: hosts: ["myEShost:9200"]
If you plan to use the sample Kibana dashboards provided with Winlogbeat, configure the Kibana endpoint. You can skip this step if Kibana is running on the same host as Elasticsearch.
If Elasticsearch and Kibana are secured, set credentials in the
winlogbeat.ymlconfig file before you run the commands that set up and start Winlogbeat.
If you’re running Elasticsearch on your own hardware, specify your Elasticsearch and Kibana credentials:
This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.
passwordsettings for Kibana are optional. If you don’t specify credentials for Kibana, Winlogbeat uses the
passwordspecified for the Elasticsearch output.
To use the pre-built Kibana dashboards, this user must have the
kibana_userbuilt-in role or equivalent privileges.
For more information, see Securing Winlogbeat.
After you save your configuration file, test it with the following command.
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e