Centralized Agent Config File

wwalker · April 16, 2018, 8:50pm

Is it possible to have two config files for each beat. One residing on a network share that hands out the base config to all agents and then a second that is customized for each machine?

The config file I am using for winlogbeat is shown below:

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System
setup.template.settings:
  index.number_of_shards: 1
  index.codec: best_compression
  _source.enabled: true
name: hostname
tags: ["Tag1", "Tag2", "Tag3"]
setup.kibana:
  host: "hostname:5601"
output.logstash:
  hosts: ["hostname:5044"]

Is it possible to split this up so everything except name and tags is in a config file on a network share and then each machine gets a config file that only specifies those two settings? Surely there is a way to centrally administer

exekias · April 17, 2018, 10:13am

Hi @wwalker,

You should be able to fill these settings from environment variables, have a look to https://www.elastic.co/guide/en/beats/winlogbeat/current/using-environ-vars.html

Best regards

wwalker · April 17, 2018, 10:39pm

So what you're saying is, change the beat's service install powershell script to use a network path for the -c option and then that file would use env variables that are configured on the host machines? The page appears to use examples designed for Linux, does this also work for Windows machines. I.E. if a Windows variable is ES_HOSTNAME with a value of Computer I would configure the beats.yml to name: ${ES_HOSTNAME} which would produce events in ElasticSearch with the field value being Computer?

wwalker · April 18, 2018, 7:28pm

Having an issue configuring the agent service to look at the network share config file. Here's the syntaxes I've tried:

-c `"\\SERVERNAME\\AgentConfig$\\WinlogBeat\WinlogBeat.yml`"
-c `"\\SERVERNAME\AgentConfig$\WinlogBeat\WinlogBeat.yml`"
-c `"\\\\SERVERNAME\\AgentConfig$\\WinlogBeat\WinlogBeat.yml`"
-c `"\\\\SERVERNAME\\AgentConfig$\\WinlogBeat\\WinlogBeat.yml`"
-c `"\\\\SERVERNAME\\AgentConfig\$\\WinlogBeat\WinlogBeat.yml`"
-c `"\\\SERVERNAME\\AgentConfig$\\WinlogBeat\WinlogBeat.yml`"
-c `"\\\SERVERNAME\\AgentConfig$\\WinlogBeat\\WinlogBeat.yml`"

Service fails to start with any of the above. Having issues understanding exactly how the \ character is used by Windows Service Manager. I thought it was used as an escape character to allow literal \ in the path but that doesn't seem to be the case.

exekias · April 19, 2018, 9:42am

Perhaps you can try to copy it to a local folder and use it from there?

wwalker · April 19, 2018, 12:07pm

Well....of course it works from a local folder, that's default functionality. I want to deploy from a network location so that instead of managing 100 different config files, I only manage one.

exekias · April 19, 2018, 12:37pm

Yes, what I meant is that you can script a copy of the file before launching Winlogbeat, that way you ensure you always have a fresh copy from the network share.

wwalker · April 20, 2018, 2:15am

How would I script that into the service on a Windows box?

system · May 18, 2018, 4:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.