WARNING: Version 1.3 of Winlogbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Winlogbeat
editWinlogbeat
editThe winlogbeat
section specifies all options that are specific to Winlogbeat.
Most importantly, it contains the list of event logs to monitor.
Here is a sample configuration:
winlogbeat: registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml event_logs: - name: Application ignore_older: 72h - name: Security - name: System
Winlogbeat Options
editYou can specify the following options in the winlogbeat
section:
registry_file
editThe name of the file where Winlogbeat stores information that it uses to resume
monitoring after a restart. By default the file is stored as .winlogbeat.yml
in the directory where the Beat was started. When you run the process as a
Windows service, it’s recommended that you set the value to
C:/ProgramData/winlogbeat/.winlogbeat.yml
.
winlogbeat: registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
The forward slashes (/) in the path are automatically changed to backslashes (\) for Windows compatibility. You can use either forward or backslashes. Forward slashes are easier to work with in YAML because there is no need to escape them.
event_logs
editA list of entries (called dictionaries in YAML) that specify which event logs to
monitor. Each entry in the list defines an event log to monitor as well as any
information to be associated with the event log (filter, tags, and so on). The
name
field is the only required field for each event log.
winlogbeat: event_logs: - name: Application
event_logs.batch_read_size
editThe maximum number of event log records to read from the Windows API in a single batch. The default batch size is 100. This option is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer).
Winlogbeat starts a goroutine (a lightweight thread) to read from each individual event log. The goroutine reads a batch of event log records using the Windows API, applies any processors to the events, publishes them to the configured outputs, and waits for an acknowledgement from the outputs before reading additional event log records.
event_logs.name
editThe name of the event log to monitor. Each dictionary under event_logs
must
have a name
field. You can get a list of available event logs by running
Get-EventLog *
in PowerShell. Here is a sample of the output from the command:
PS C:\Users\vagrant> Get-EventLog * Max(K) Retain OverflowAction Entries Log ------ ------ -------------- ------- --- 20,480 0 OverwriteAsNeeded 75 Application 20,480 0 OverwriteAsNeeded 0 HardwareEvents 512 7 OverwriteOlder 0 Internet Explorer 20,480 0 OverwriteAsNeeded 0 Key Management Service 20,480 0 OverwriteAsNeeded 1,609 Security 20,480 0 OverwriteAsNeeded 1,184 System 15,360 0 OverwriteAsNeeded 464 Windows PowerShell
Channel names can also be specified if running on Windows Vista or newer. A channel is a named stream of events that transports events from an event source to an event log. Most channels are tied to specific event publishers. Here is an example showing how to list all channels using PowerShell.
PS C:\> Get-WinEvent -ListLog * | Format-List -Property LogName LogName : Application LogName : HardwareEvents LogName : Internet Explorer LogName : Key Management Service LogName : Security LogName : System LogName : Windows PowerShell LogName : ForwardedEvents LogName : Microsoft-Management-UI/Admin LogName : Microsoft-Rdms-UI/Admin LogName : Microsoft-Rdms-UI/Operational LogName : Microsoft-Windows-Windows Firewall With Advanced Security/Firewall ...
You must specify the full name of the channel in the configuration file.
winlogbeat: event_logs: - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
event_logs.ignore_older
editIf this option is specified, Winlogbeat filters events that are older than the specified amount of time. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". This option is useful when you are beginning to monitor an event log that contains older records that you would like to ignore. This field is optional.
winlogbeat: event_logs: - name: Application ignore_older: 168h
metrics.bindaddress
editThe hostname and port where the Beat will host an HTTP web service that provides metrics. This field is optional.
The following example specifies that the metrics service is available at http://localhost:8128/debug/vars:
winlogbeat: metrics: bindaddress: 'localhost:8123'
The metrics are served as a JSON document. The metrics include:
- memory stats
- number of filtered events from each log
- number of published events from each log
- total number of failures while publishing
- total number of filtered events
- total number of successfully published events
- uptime