WARNING: Version 6.2 of Winlogbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Step 2: Configure Winlogbeat
editStep 2: Configure Winlogbeat
editTo configure Winlogbeat, you edit the winlogbeat.yml
configuration file. See the
Config File Format section of the
Beats Platform Reference for more about the structure of the config file.
Here is a sample of the winlogbeat.yml
file:
winlogbeat.event_logs: - name: Application - name: Security - name: System output.elasticsearch: hosts: - localhost:9200 logging.to_files: true logging.files: path: C:/ProgramData/winlogbeat/Logs logging.level: info
To configure Winlogbeat:
-
In the
event_logs
section, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:winlogbeat.event_logs: - name: Application - name: Security - name: System
To obtain a list of available event logs, run
Get-EventLog *
in PowerShell. For more information about this command, see the configuration details for event_logs.name. -
If you are sending output directly to Elasticsearch (and not using Logstash), set the IP address and port where Winlogbeat can find the Elasticsearch installation:
output.elasticsearch: hosts: - localhost:9200
If you are sending output to Logstash, make sure you Configure the Logstash output instead.
-
If you plan to use the sample Kibana dashboards provided with Winlogbeat, configure the Kibana endpoint:
setup.kibana: host: "localhost:5601"
Where
host
is the hostname and port of the machine where Kibana is running, for example,localhost:5601
.If you specify a path after the port number, you need to include the scheme and port:
http://localhost:5601/path
. -
If you’ve secured Elasticsearch and Kibana, you need to specify credentials in the config file before you run the commands that set up and start Winlogbeat. For example:
output.elasticsearch: hosts: ["myEShost:9200"] username: "elastic" password: "elastic" setup.kibana: host: "mykibanahost:5601" username: "elastic" password: "elastic"
The
username
andpassword
settings for Kibana are optional. If you don’t specify credentials for Kibana, Winlogbeat uses theusername
andpassword
specified for the Elasticsearch output.If you are planning to set up the Kibana dashboards, the user must have the
kibana_user
built-in role or equivalent privileges.Also see the security-related options described in Set up the Kibana endpoint and Configure the Elasticsearch output.
-
After you save your configuration file, test it with the following command.
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e