WARNING: Version 1.2 of Winlogbeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« Step 1: Installing Winlogbeat Step 3: Configuring Winlogbeat to Use Logstash »
Elastic Docs Winlogbeat Reference [1.2] Getting Started With Winlogbeat

Step 2: Configuring Winlogbeat

edit

Step 2: Configuring Winlogbeat

edit

To configure Winlogbeat, you edit the winlogbeat.yml configuration file. Here is a sample of the winlogbeat.yml file:

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml

  event_logs:
    - name: Application
    - name: Security
    - name: System

output:
  elasticsearch:
    hosts:
      - localhost:9200

logging:
  to_files: true
  files:
    path: C:/ProgramData/winlogbeat/Logs
  level: info

To configure Winlogbeat:

  1. In the event_logs section, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:

      event_logs:
    - name: Application
    - name: Security
    - name: System

    To obtain a list of available event logs, run Get-EventLog * in PowerShell. For more information about this command, see the configuration details for event_logs.name.

  2. If you are sending output to Elasticsearch, set the IP address and port where Winlogbeat can find the Elasticsearch installation:

    output:
  elasticsearch:
    hosts:
      - localhost:9200

    If you are sending output to Logstash, see Step 3: Configuring Winlogbeat to Use Logstash instead.

  3. After you save your configuration file, test it with the following command.

    PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -configtest -e
« Step 1: Installing Winlogbeat Step 3: Configuring Winlogbeat to Use Logstash »