Use wildcards in Channels with Winlogbeat


(Thomas Widhalm) #1

If I want to watch all or almost all log channels on a Windows server
the config file becomes quite bulky and defining all the channels is not
a fun thing to do.

Is there a way to define channels more easily like with wildcards or even tell winlogbeat to read all channels and just blacklist the ones I don't want?

Cheers,
Thomas


(Andrew Kroh) #2

There is no support for wildcards today. It's not too hard to generate the configuration file if you are using some kind of CM tool (like Ansible) to manage the installation and config. You could generate a one-off config using the script below.

I agree the file does get big, but it's quite straight forward to manage. You know exactly what logs are going to be read.

If wildcard support was added, I would want it to periodically check for new event logs. This is the one thing that you won't get with a generated config file. You can open an enhancement request for this feature in elastic/beats so that it is tracked with the others requests and does not get forgotten. There are other feature requests (adding the event parameters #1053 and filtering) that will be worked first. We welcome contributions to the project if you want to add this feature yourself.

generate-winlogbeat-config.ps1

$lines = @"                                                                                                                                          
winlogbeat:                                                                                                                                          
  event_logs:                                                                                                                                        
                                                                                                                                                     
"@                                                                                                                                                   
Get-WinEvent -ListLog * | ForEach-Object {$lines += "    - name: $($_.LogName)`n"}                                                                   
$lines += @"                                                                                                                                         
output:                                                                                                                                              
  elasticsearch:                                                                                                                                     
    hosts:                                                                                                                                           
      - localhost:9200                                                                                                                               
                                                                                                                                                     
logging:                                                                                                                                             
  to_files: true                                                                                                                                     
  files:                                                                                                                                             
    path: C:/ProgramData/winlogbeat/Logs                                                                                                             
  level: info                                                                                                                                        
                                                                                                                                                     
"@                                                                                                                                                   
Out-File -InputObject $lines -FilePath winlogbeat.all.yml

PS C:\vagrant\winlogbeat> .\generate-winlogbeat-config.ps1
PS C:\vagrant\winlogbeat> .\winlogbeat.exe -c .\winlogbeat.all.yml -e -v


Using Channel Names in Winlogbeat Config
(system) #3