I gave you step by step details here :
Just replace the word packetbeat
with winlogbeat
Solution:
So actually there is very little you need to do to make this all work, we will use Logstash as a pasthrough and let all the winlogbeat module do its work, ECS formating, Templates, GEO IP, Index Lifecycle Management, it will all be taken care of.
Here is what I recommend, try to resist the urge to make this more complex that it needs to be.
- One a single host Perform Steps 1 - 5 on the Winlogbeat Quckstart page for Elastic Search Service.This will setup Packetbeat and all the associated assets in Elasticsearch and Kibana.
Note Setup only needs to run Once whether you are setting up on 1 host or 1000 hosts, it just loads all the needs artifacts. and If you already did all this.. .and you still have the the cluster you don't even need to do it again.
- Now in the winlogbeat.yml comment out
cloud.id
andcloud.auth:
and configure the output section of winlogbeat to point to logstash. Comment out theoutput.elasticsearch:
section. Now Packetbeat is pointed to your on prem Logastash
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
...
- Setup Logstash. Below is the
logstash-beats-es.conf
that will support all the beats functionality. Logstash simply acts as a passthough, Packetbeat functionality will magically get passed through. - Start Logstash then start Packetbeat... take a look...data should start to flow exactly as it did when it was Packetbeat to Elastic Cloud direct.
- Deploy Packetbeat on other hosts. Configure to point at this Logstash.
Logstash Config for Beats Pass through.
################################################
# beats->logstash->es default config.
################################################
input {
beats {
port => 5044
}
}
output {
if [@metadata][pipeline] {
elasticsearch {
cloud_auth => "elastic:password"
cloud_id => "mycloud:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRj......"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
pipeline => "%{[@metadata][pipeline]}"
}
} else {
elasticsearch {
cloud_auth => "elastic:password"
cloud_id => "mycloud:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRj......"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
}
}
}
to delete indices just go into Kibana and delete indices like this
GET _cat/indices/win-*/?v
DELETE winlogbeat-7.12.0-000001