winlogbeat - collect windows event log and enable default template and dashboard related configuration

Posted by Seraskier on Mon, 02 Dec 2019 03:09:08 +0100

winlogbeat is used to collect the system event log of windows;

Official website installation method: https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html

Collect and write the elasticsearch configuration instance:

winlogbeat.event_logs:
  - name: Security
    ignore_older: 24h
    event_id: 4624, 4625,4626,4627
    tags: ["Security_205"]
    fields:
      type: "Security_205"
      log_topic: "Security_205"
    fields_under_root: true
#Modify the default elasticsearch index; pay special attention that uppercase letters cannot appear in the index, otherwise it will not be able to enter es
output.elasticsearch.index: "security_205-%{+yyyy.MM.dd}"
setup.template.name: "security_205"
setup.template.pattern: "security_205-*"
output.elasticsearch:
  hosts: ["10.10.5.78:9200","10.10.5.79:9200","10.10.5.80:9200"]
#Use the official dashboard. When elasticsearch is modified by default, setup.dashboards.index will also be modified
setup.dashboards.enabled: true
setup.dashboards.index: "security_205-*"
setup.kibana:
  host: "10.10.5.109:5601"

logging.to_files: true
logging.files:
  path: C:\Program Files\WinlogBeat\log
logging.level: info

Parameter Description:

-name: set the log type to collect system events;

ignore_older: set how long ago the logs will not be collected; it is very effective in the initial configuration;

event_id: set the event ID to be collected. The default is to collect all event logs;

logging.to_files: enable log related configuration; when the output cannot be connected, it will be written to the logging related configuration temporarily;

Note: when writing elastic search, the default index name is winlogbeat - *; to be modified to the name you need

Collect and write kafka related configuration:

winlogbeat.event_logs:
  - name: Security
    ignore_older: 24h
    event_id: 4624, 4625,4626,4627
    tags: ["Security_205"]
    fields:
      type: "Security_205"
      log_topic: "Security_205"
    fields_under_root: true

output.kafka:
  enabled: true
  hosts: ["10.78.1.85:9092","10.78.1.87:9092","10.78.1.71:9092"]
  topic: "%{[log_topic]}"
  partition.round_robin:
    reachable_only: true
  worker: 2
  required_acks: 1
  compression: gzip
  max_message_bytes: 10000000

setup.dashboards.enabled: true
setup.dashboards.index: "security_205-*"
setup.kibana:
  host: "10.10.5.109:5601"

logging.to_files: true
logging.files:
  path: C:\Program Files\WinlogBeat\log
logging.level: info



Topics: Linux ElasticSearch kafka Windows

Hot Topics

©2024 Programmer Think