Winlogbeat

edit

The winlogbeat section specifies all options that are specific to Winlogbeat. Most importantly, it contains the list of event logs to monitor.

Here is a sample configuration:

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
  event_logs:
    - name: Application
      ignore_older: 72h
    - name: Security
    - name: System

Winlogbeat Options

edit

You can specify the following options in the winlogbeat section:

registry_file

edit

The name of the file where Winlogbeat stores information that it uses to resume monitoring after a restart. By default the file is stored as .winlogbeat.yml in the directory where the Beat was started. When you run the process as a Windows service, it’s recommended that you set the value to C:/ProgramData/winlogbeat/.winlogbeat.yml.

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml

The forward slashes (/) in the path are automatically changed to backslashes (\) for Windows compatibility. You can use either forward or backslashes. Forward slashes are easier to work with in YAML because there is no need to escape them.

event_logs

edit

A list of entries (called dictionaries in YAML) that specify which event logs to monitor. Each entry in the list defines an event log to monitor as well as any information to be associated with the event log (filter, tags, and so on). The name field is the only required field for each event log.

winlogbeat:
  event_logs:
    - name: Application

event_logs.batch_read_size

edit

The maximum number of event log records to read from the Windows API in a single batch. The default batch size is 100. This option is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer).

Winlogbeat starts a goroutine (a lightweight thread) to read from each individual event log. The goroutine reads a batch of event log records using the Windows API, applies any processors to the events, publishes them to the configured outputs, and waits for an acknowledgement from the outputs before reading additional event log records.

event_logs.name

edit

The name of the event log to monitor. Each dictionary under event_logs must have a name field. You can get a list of available event logs by running Get-EventLog * in PowerShell. Here is a sample of the output from the command:

PS C:\Users\vagrant> Get-EventLog *

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
  20,480      0 OverwriteAsNeeded          75 Application
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
  20,480      0 OverwriteAsNeeded       1,609 Security
  20,480      0 OverwriteAsNeeded       1,184 System
  15,360      0 OverwriteAsNeeded         464 Windows PowerShell

Channel names can also be specified if running on Windows Vista or newer. A channel is a named stream of events that transports events from an event source to an event log. Most channels are tied to specific event publishers. Here is an example showing how to list all channels using PowerShell.

PS C:\> Get-WinEvent -ListLog * | Format-List -Property LogName
LogName : Application
LogName : HardwareEvents
LogName : Internet Explorer
LogName : Key Management Service
LogName : Security
LogName : System
LogName : Windows PowerShell
LogName : ForwardedEvents
LogName : Microsoft-Management-UI/Admin
LogName : Microsoft-Rdms-UI/Admin
LogName : Microsoft-Rdms-UI/Operational
LogName : Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
...

You must specify the full name of the channel in the configuration file.

winlogbeat:
  event_logs:
    - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

event_logs.ignore_older

edit

If this option is specified, Winlogbeat filters events that are older than the specified amount of time. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". This option is useful when you are beginning to monitor an event log that contains older records that you would like to ignore. This field is optional.

winlogbeat:
  event_logs:
    - name: Application
      ignore_older: 168h

metrics.bindaddress

edit

The hostname and port where the Beat will host an HTTP web service that provides metrics. This field is optional.

The following example specifies that the metrics service is available at http://localhost:8128/debug/vars:

winlogbeat:
  metrics:
    bindaddress: 'localhost:8123'

The metrics are served as a JSON document. The metrics include:

  • memory stats
  • number of filtered events from each log
  • number of published events from each log
  • total number of failures while publishing
  • total number of filtered events
  • total number of successfully published events
  • uptime