- Winlogbeat Reference: other versions:
- Winlogbeat Overview
- Quick start: installation and configuration
- Set up and run
- Upgrade
- Configure
- Winlogbeat
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Instrumentation
- winlogbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Understand logged metrics
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Bogus computer_name fields are reported in some events
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Not sure how to read from .evtx files
- Contribute to Beats
Configure Kerberos
editConfigure Kerberos
editYou can specify Kerberos options with any output or input that supports Kerberos, like Elasticsearch.
The following encryption types are supported:
- aes128-cts-hmac-sha1-96
- aes128-cts-hmac-sha256-128
- aes256-cts-hmac-sha1-96
- aes256-cts-hmac-sha384-192
- des3-cbc-sha1-kd
- rc4-hmac
Example output config with Kerberos password based authentication:
output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"] output.elasticsearch.kerberos.auth_type: password output.elasticsearch.kerberos.username: "elastic" output.elasticsearch.kerberos.password: "changeme" output.elasticsearch.kerberos.config_path: "/etc/krb5.conf" output.elasticsearch.kerberos.realm: "ELASTIC.CO"
The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration
it is going to be HTTP/my-elasticsearch.elastic.co@ELASTIC.CO
.
Configuration options
editYou can specify the following options in the kerberos
section of the winlogbeat.yml
config file:
enabled
editThe enabled
setting can be used to enable the kerberos configuration by setting
it to false
. The default value is true
.
Kerberos settings are disabled if either enabled
is set to false
or the
kerberos
section is missing.
auth_type
editThere are two options to authenticate with Kerberos KDC: password
and keytab
.
password
expects the principal name and its password. When choosing keytab
, you
have to specify a principal name and a path to a keytab. The keytab must contain
the keys of the selected principal. Otherwise, authentication will fail.
config_path
editYou need to set the path to the krb5.conf
, so Winlogbeat can find the Kerberos KDC to
retrieve a ticket.
username
editName of the principal used to connect to the output.
password
editIf you configured password
for auth_type
, you have to provide a password
for the selected principal.
keytab
editIf you configured keytab
for auth_type
, you have to provide the path to the
keytab of the selected principal.
service_name
editThis option can only be configured for Kafka. It is the name of the Kafka service, usually kafka
.
realm
editName of the realm where the output resides.
enable_krb5_fast
editEnable Kerberos FAST authentication. This may conflict with some Active Directory installations. The default is false
.
On this page