Hello,
Where do I find files that i sent via winlogbeat when using the Elasticsearch output? Can I add indexes?
And how could I send just a selection of files, that is e.g. stored in some directory?
I tried:
- name: 'C:\path\to\dir\*'
#and
- name: 'C:\path\to\file'
but neither of them worked.
Hi,
Winlogbeat cannot be used (as far as i know) to send log files. The usage of winlogbeat is meant for sending the windows event logs.
If you want to ingest log files (for example IIS logs), I recommend using Filebeat.
Which would then look something like
filebeat.inputs:
- type: log
paths:
- C:\path\to\dir\*
- C:\path\to\dir\*
(might be you have to use / instead of \ don't remember on top of mind)
Especially for certain inputs I recommend using the OOTB modules provided with Filebeat as these will handle the parsing, log ingest etc for you.
Hi,
Seems I did not specify that enough..
My VM is going to receive some Windows Event Log-Files from a selection of machines. These files are ment to be stored in Elasticsearch.
But the winlog.yml only contains Security/Application/.. and the addition of a path does not result in data beeing sent.
So to clarify:
I want to know where I should set the Path for the Files I want to send.
This is what I tried so far
windows.event_logs:
- name: C:/path/to/file
- name: C:\path\to\file
- name: "C:/path/to/file"
- name: "C:\path\to\file"
I also tried:
\winlogbeat.exe -e -c .\winlogbeat-evtx.yml -E EVTX_FILE=<specific_evtx_file_path>
But neither worked. Is it possible at all to just send one stored file?
Ok, I did it.
I deleted every index and then made it work with:
windows.event_logs:
- name: C:/path/to/file
So in conclusion:
Some weird error happened before.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.