Step 2: Configuring Winlogbeat

edit

To configure Winlogbeat, you edit the winlogbeat.yml configuration file. Here is a sample of the winlogbeat.yml file:

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml

  event_logs:
    - name: Application
    - name: Security
    - name: System

output:
  elasticsearch:
    hosts:
      - localhost:9200

logging:
  to_files: true
  files:
    path: C:/ProgramData/winlogbeat/Logs
  level: info

To configure Winlogbeat:

  1. In the event_logs section, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:

      event_logs:
        - name: Application
        - name: Security
        - name: System

    To obtain a list of available event logs, run Get-EventLog * in PowerShell. For more information about this command, see the configuration details for event_logs.name.

  2. If you are sending output to Elasticsearch, set the IP address and port where Winlogbeat can find the Elasticsearch installation:

    output:
      elasticsearch:
        hosts:
          - localhost:9200

    If you are sending output to Logstash, see Step 3: Configuring Winlogbeat to Use Logstash instead.

  3. After you save your configuration file, test it with the following command.

    PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -configtest -e