WinLogBeat Setup


I'm new to WinLogBeat and trying to setup in my work machine and ofcourse due to lack of Admin privileges I'm not able to start WinLogBeat as a service as mentioned in the setup docs. I have couple of questions on how WinLogBeat works, tried exploring in google, but couldn't find an answer.

  1. Why every tutorial on internet suggests to copy the WinLogBeat dir into C:\program files. Won't it work If this is outside of C drive ?
  2. Why do we need to start this as a service. I was able to work with FileBeat without having such issues.
  3. How do WinLogBeat knows that In where to look for Windows services details !
    Does it just listens to windows events and keep sending the events to output as per the config mentioned in winlogbeat.yml .


Tutorials suggest C:\Programs because that's where most programs run and they like to keep things organized. I will run outside of that.

You don't have to have it run as a service but doing so will enable it to survive and comeback up automatically after a reboot or power cycle.

Not quite sure what you are asking with the last question but the .yml file tells it what to send. Also FYI make sure you put "ignore_older: 24h" after every log. Your screenshot will ignore that for the application log. The security and system log will send ALL logs every time that restarts duplicating lots of data.

Thanks for the reply.

So I will get the same output even If I place my WinLogBeat outside of c:Programs ( Even If I place in the different drive- D:\ ) right !

  1. If I'm not running WinLogBeat as service, I can just run winlogbeat.exe right ?

Sorry. I didn't get your last point about security & system logs. Can you put it in a different way or elaborate please !

I believe that to be true as I run it from c:
Regarding the setting for logs see attached...

thanks for the info

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.