Centralized Agent Config File

Is it possible to have two config files for each beat. One residing on a network share that hands out the base config to all agents and then a second that is customized for each machine?

The config file I am using for winlogbeat is shown below:

  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System
  index.number_of_shards: 1
  index.codec: best_compression
  _source.enabled: true
name: hostname
tags: ["Tag1", "Tag2", "Tag3"]
  host: "hostname:5601"
  hosts: ["hostname:5044"]

Is it possible to split this up so everything except name and tags is in a config file on a network share and then each machine gets a config file that only specifies those two settings? Surely there is a way to centrally administer

Hi @wwalker,

You should be able to fill these settings from environment variables, have a look to https://www.elastic.co/guide/en/beats/winlogbeat/current/using-environ-vars.html

Best regards

So what you're saying is, change the beat's service install powershell script to use a network path for the -c option and then that file would use env variables that are configured on the host machines? The page appears to use examples designed for Linux, does this also work for Windows machines. I.E. if a Windows variable is ES_HOSTNAME with a value of Computer I would configure the beats.yml to name: ${ES_HOSTNAME} which would produce events in ElasticSearch with the field value being Computer?

Having an issue configuring the agent service to look at the network share config file. Here's the syntaxes I've tried:

-c `"\\SERVERNAME\\AgentConfig$\\WinlogBeat\WinlogBeat.yml`"
-c `"\\SERVERNAME\AgentConfig$\WinlogBeat\WinlogBeat.yml`"
-c `"\\\\SERVERNAME\\AgentConfig$\\WinlogBeat\WinlogBeat.yml`"
-c `"\\\\SERVERNAME\\AgentConfig$\\WinlogBeat\\WinlogBeat.yml`"
-c `"\\\\SERVERNAME\\AgentConfig\$\\WinlogBeat\WinlogBeat.yml`"
-c `"\\\SERVERNAME\\AgentConfig$\\WinlogBeat\WinlogBeat.yml`"
-c `"\\\SERVERNAME\\AgentConfig$\\WinlogBeat\\WinlogBeat.yml`"

Service fails to start with any of the above. Having issues understanding exactly how the \ character is used by Windows Service Manager. I thought it was used as an escape character to allow literal \ in the path but that doesn't seem to be the case.

Perhaps you can try to copy it to a local folder and use it from there?

Well....of course it works from a local folder, that's default functionality. I want to deploy from a network location so that instead of managing 100 different config files, I only manage one.

Yes, what I meant is that you can script a copy of the file before launching Winlogbeat, that way you ensure you always have a fresh copy from the network share.

How would I script that into the service on a Windows box?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.