To configure Winlogbeat, you edit the
winlogbeat.yml configuration file. See the
Config File Format section of the
Beats Platform Reference for more about the structure of the config file.
Here is a sample of the
winlogbeat.event_logs: - name: Application - name: Security - name: System output.elasticsearch: hosts: - localhost:9200 logging.to_files: true logging.files: path: C:/ProgramData/winlogbeat/Logs logging.level: info
To configure Winlogbeat:
event_logssection, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:
winlogbeat.event_logs: - name: Application - name: Security - name: System
To obtain a list of available event logs, run
Get-EventLog *in PowerShell. For more information about this command, see the configuration details for event_logs.name.
If you are sending output to Elasticsearch, set the IP address and port where Winlogbeat can find the Elasticsearch installation:
output.elasticsearch: hosts: - localhost:9200
If you are sending output to Logstash, see Step 3: Configuring Winlogbeat to Use Logstash instead.
After you save your configuration file, test it with the following command.
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -configtest -e