Step 2: Configuring Winlogbeat

edit

To configure Winlogbeat, you edit the winlogbeat.yml configuration file. Here is a sample of the winlogbeat.yml file:

winlogbeat.event_logs:
  - name: Application
  - name: Security
  - name: System

output.elasticsearch:
  hosts:
    - localhost:9200

logging.to_files: true
logging.files:
  path: C:/ProgramData/winlogbeat/Logs
logging.level: info

To configure Winlogbeat:

  1. In the event_logs section, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:

    winlogbeat.event_logs:
      - name: Application
      - name: Security
      - name: System

    To obtain a list of available event logs, run Get-EventLog * in PowerShell. For more information about this command, see the configuration details for event_logs.name.

  2. If you are sending output to Elasticsearch, set the IP address and port where Winlogbeat can find the Elasticsearch installation:

    output.elasticsearch:
      hosts:
        - localhost:9200

    If you are sending output to Logstash, see Step 3: Configuring Winlogbeat to Use Logstash instead.

  3. After you save your configuration file, test it with the following command.

    PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -configtest -e