Thanks.
This is my only VM running winlogbeats for now. I pulled the latest beats from the site which was 7.2.0.
I didn't change much in the config file. I added log sources and configured it to push to logstash instead of elastic. Then I loaded the index templates manually as described in the docs.
Here's the config if its helpful
winlogbeat.event_logs:
-
name: Application
ignore_older: 72h
-
name: System
-
name: Microsoft-windows-PowerShell/Operational
ignore_older: 60m
event_id: 4103, 4104
-
name: Windows PowerShell
event_id: 400,600
ignore_older: 60m
-
name: Microsoft-Windows-WMI-Activity/Operational
event_id: 5857,5858,5859,5860,5861
-
name: Security
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
-
name: Microsoft-Windows-Sysmon/Operational
processors:
- script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
#==================== Elasticsearch template settings ==========================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
#================================ General =====================================
#The name of the shipper that publishes the network data. It can be used to group
#all the transactions sent by a single shipper in the web interface.
#name:
#The tags of the shipper are included in their own field with each
#transaction published.
#tags: ["service-X", "web-tier"]
#Optional fields that you can specify to add additional information to the
#output.
#fields:
#env: staging
#============================== Dashboards =====================================
#These settings control loading the sample dashboards to the Kibana index. Loading
#the dashboards is disabled by default and can be enabled either by setting the
#options here or by using the setup
command.
#setup.dashboards.enabled: false
#The URL from where to download the dashboards archive. By default this URL
#has a value which is computed based on the Beat name and version. For released
#versions, this URL points to the dashboard archive on the artifacts.elastic.co
#website.
setup.dashboards.url:
#============================== Kibana =====================================
#Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
#This requires a Kibana endpoint configuration.
setup.kibana:
#Kibana Host
#Scheme and port can be left out and will be set to the default (http and 5601)
#in case you specify and additional path, the scheme is required: http://localhost:5601/path
#IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "192.168.1.232:5601"
#Kibana Space ID
#ID of the Kibana Space into which the dashboards should be loaded. By default,
#the Default Space will be used.
#space.id:
#============================= Elastic Cloud ==================================
#These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).
#The cloud.id setting overwrites the output.elasticsearch.hosts
and
#setup.kibana.host
options.
#You can find the cloud.id
in the Elastic Cloud web UI.
#cloud.id:
#The cloud.auth setting overwrites the output.elasticsearch.username
and
#output.elasticsearch.password
settings. The format is <user>:<pass>
.
#cloud.auth:
#================================ Outputs =====================================
#Configure what output to use when sending the data collected by the beat.
#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
#Array of hosts to connect to.
#hosts: ["localhost:9200"]
#Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#----------------------------- Logstash output --------------------------------
output.logstash:
#The Logstash hosts
hosts: "192.168.1.232:5044"
#Optional SSL. By default is off.
#List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
#Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
#Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
#================================ Processors =====================================
#Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
#================================ Logging =====================================
#Sets log level. The default log level is info.
#Available log levels are: error, warning, info, debug
#logging.level: debug
#At debug level, you can selectively enable logging only for some components.
#To enable all selectors use [""]. Examples of other selectors are "beat",
#"publish", "service".
#logging.selectors: [""]
#============================== Xpack Monitoring ===============================
#winlogbeat can export internal metrics to a central Elasticsearch monitoring
#cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
#reporting is disabled by default.
#Set to true to enable the monitoring reporter.
#monitoring.enabled: false
#Uncomment to send the metrics to Elasticsearch. Most settings from the
#Elastic search output are accepted here as well.
#Note that the settings should point to your Elasticsearch monitoring cluster.
#Any setting that is not set is automatically inherited from the Elasticsearch
#output configuration, so if you have the Elasticsearch output configured such
#that it is pointing to your Elasticsearch monitoring cluster, you can simply
#uncomment the following line.
#monitoring.elasticsearch:
#================================= Migration ==================================
#This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true