hi, i have try to install winlogbeat on Windows Server Datacenter and failed.
i download winlogbeat from here
extract the content into C:\Program Files
and rename the winlogbeat- directory to Winlogbeat.
edit winlogbeat.yml as a follow
###################### Winlogbeat Configuration Example ##########################
# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
#======================= Winlogbeat specific options ==========================
# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Security
- name: System
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false
#================================ General =====================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
name: rv07prd
# The tags of the shipper are included in their own field with each
# transaction published.
tags: ["windows", "iis", "ad", "rv07prd"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
setup.dashboards.enabled: true
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "XXX.XX.XX.XX:63600"
#============================= Elastic Cloud ==================================
# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
#================================ Outputs =====================================
# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.
#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["XXX.XX.XX.XX:63301"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["C:/Program Files/Winlogbeat/reversal-chain.crt"]
# Certificate for SSL client authentication
ssl.certificate: "C:/Program Files/Winlogbeat/winlogbeat.crt"
# Client Certificate Key
ssl.key: "C:/Program Files/Winlogbeat/winlogbeat.key"
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
logging.level: info
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
when i run .\winlogbeat.exe -c winlogbeat.yml -e -v -d "*"
i have this error:
Exiting: Error reading configuration file. 1 error: Invalid top-level key 'setup' found. Valid keys are bulk_queue_size, dashboards, fields, fields_under_root, logging, max_procs, name, output, path, processors, queue_size, tags, winlogbeat accessing config
i found this topic about similar error and revised my config. i cant find the "setup" key declared or what is causing it.
i try again as andrewkroh on the topic above suggest, but i have the same error.
winlogbeat.event_logs:
#- name: Application
# ignore_older: 72h
- name: ForwardedEvents
ignore_older: 8760h
Exiting: Error reading configuration file. 1 error: Invalid top-level key 'setup' found. Valid keys are bulk_queue_size, dashboards, fields, fields_under_root, logging, max_procs, name, output, path, processors, queue_size, tags, winlogbeat accessing config
.
i appreciate any help.
thanks in advance.