- Winlogbeat Reference: other versions:
- Winlogbeat Overview
- Quick start: installation and configuration
- Set up and run
- Upgrade
- Configure
- Winlogbeat
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Instrumentation
- winlogbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Understand logged metrics
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Bogus computer_name fields are reported in some events
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Not sure how to read from .evtx files
- Contribute to Beats
Directory layout
editDirectory layout
editThe directory layout of an installation is as follows:
Archive installation has a different layout. See zip, tar.gz, or tgz.
Type | Description | Default Location | Config Option |
---|---|---|---|
home |
Home of the Winlogbeat installation. |
|
|
bin |
The location for the binary files. |
|
|
config |
The location for configuration files. |
|
|
data |
The location for persistent data files. |
|
|
logs |
The location for the logs created by Winlogbeat. |
|
|
You can change these settings by using CLI flags or setting path options in the configuration file.
Default paths
editWinlogbeat uses the following default paths unless you explicitly change them.
zip, tar.gz, or tgz
editType | Description | Location |
---|---|---|
home |
Home of the Winlogbeat installation. |
|
bin |
The location for the binary files. |
|
config |
The location for configuration files. |
|
data |
The location for persistent data files. |
|
logs |
The location for the logs created by Winlogbeat. |
|
For the zip, tar.gz, or tgz distributions, these paths are based on the location of the extracted binary file. This means that if you start Winlogbeat with the following simple command, all paths are set correctly:
Start-Service winlogbeat
On this page
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now