I am enrolling my Windows servers in Fleet on ELK 7.12. I can see lots of 'logs-* via discover relating to these servers.
Do I need to manually install winlogbeat and or filebeat in addition to what I already have. My current integration has 'Endpoint Security' and 'System'
Do I also need winlogbeat if I already have filebeat. Apologies for the confusion here.
For example lets say I am going to add a Windows DC. I am interested in view logs about lockouts, logon failures etc.
Do I just deploy the Fleet Agent or do I deploy the fleet agent, then install filebeat and then install winlogbeat?
You can just use the Fleet elastic agent and add integration to the Agent policy such as custom logs or window events. Go to the policy and add integration.
ok, I get you. I have added Windows into my agent settings like you said so I have in total, Endpoint Security, System and Windows. Now I may be wrong but I am assunming that by adding Windows intergration, this will add winlogbeat but I cannot see that within the Windows server after deploying the fleet agent (see screenshots).
If I go to Discover, I get data for 'logs-' and 'Metrics-' but don't see anything for 'Winlogbeat-*' for this partilcuar Windows server that has Endpoint Security, System and Windows configured on its agent.
right then. What I have done is just install winlogbeat onto my DC's. No agent etc and just winlogbeat for now but I can see all the data flying in on the dashboard which is really good. I can see all my lockouts, logons, changes to AD accounts etc.
Ok good.. yeah I tried install Windows through the agent and wasn't having a lot of luck either if I get a chance I'll take a look keep an eye out it's my understanding that the agent should do this at some point it is still beta so perhaps there's an issue
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
