WARNING: Version 1.1 of Winlogbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Step 2: Configuring Winlogbeat
editStep 2: Configuring Winlogbeat
editTo configure Winlogbeat, you edit the winlogbeat.yml
configuration file. Here is a sample of
the winlogbeat.yml
file:
winlogbeat: registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml event_logs: - name: Application - name: Security - name: System output: elasticsearch: hosts: - localhost:9200 logging: to_files: true files: path: C:/ProgramData/winlogbeat/Logs level: info
To configure Winlogbeat:
-
In the
event_logs
section, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:event_logs: - name: Application - name: Security - name: System
To obtain a list of available event logs, run
Get-EventLog *
in PowerShell. For more information about this command, see the configuration details for event_logs.name. -
If you are sending output to Elasticsearch, set the IP address and port where Winlogbeat can find the Elasticsearch installation:
output: elasticsearch: hosts: - localhost:9200
If you are sending output to Logstash, see Step 3: Configuring Winlogbeat to Use Logstash instead.
-
After you save your configuration file, test it with the following command.
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -configtest -e