Step 2: Configuring Winlogbeat

edit

To configure Winlogbeat, you edit the winlogbeat.yml configuration file. See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.

Here is a sample of the winlogbeat.yml file:

winlogbeat.event_logs:
  - name: Application
  - name: Security
  - name: System

output.elasticsearch:
  hosts:
    - localhost:9200

logging.to_files: true
logging.files:
  path: C:/ProgramData/winlogbeat/Logs
logging.level: info

To configure Winlogbeat:

  1. In the event_logs section, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:

    winlogbeat.event_logs:
      - name: Application
      - name: Security
      - name: System

    To obtain a list of available event logs, run Get-EventLog * in PowerShell. For more information about this command, see the configuration details for event_logs.name.

  2. If you are sending output to Elasticsearch, set the IP address and port where Winlogbeat can find the Elasticsearch installation:

    output.elasticsearch:
      hosts:
        - localhost:9200

    If you are sending output to Logstash, see Step 3: Configuring Winlogbeat to Use Logstash instead.

  3. After you save your configuration file, test it with the following command.

    PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -configtest -e