Winlogbeats service sugestion

Elastic Stack Beats
1

HI everyone, this is my first post so be kind if im wrong (also excuse my non native english). Where do i make sugestion for Winlogbeat (or any other ELK part)??

So i was instaling my first ELK lab, version 5.6.2 was the latest when i downloaded it, so im going with that ver.
Instaled, Elasticsearch, Logstash and Kibana. So far so good, then i was about to install Winlogbeat on the same PC as part of the test, And being the curious cat i am ... i tried to run the install PS1 script from PowerShell ISE, to see line by line what it does... a then noticed 3 things:

  1. The damm line "$workdir = Split-Path $MyInvocation.MyCommand.Path" only works when running as a script (not in ISE, nor PS Console), becasue it uses a Automatic_Variable. Maybe note that in the comments
  2. The new service created by the script, doesnt have a description... maybe add a Description, for example "Forwards Windows Events to logstash..."
  3. The New Service uses "hardcoded" paths, maybe in a new version you could ask if the user wants to use the default paths or redirecte the data.path (in my case i use D: for ProgramFiles and E: for ProgramData, elaving C: mostly for the OS)

So there is a place to contribute sugestions and improvements? Or maybe just lave it here and back away slowly xD....

Thanks
Alvaro

Image 1155
Image 1155.jpg887×336 150 KB

2

Hi Alvaro, yes, contributions are welcomed via Github pull requests. See https://github.com/elastic/beats/blob/master/CONTRIBUTING.md.

The file in question is located at https://github.com/elastic/beats/blob/master/dev-tools/packer/platforms/windows/install-service.ps1.j2. It is a template. The same template is use for all Beats.

I don't think any of us are PowerShell experts so if you want to fix that automatic variable issue so that the script also works in ISA that would be great.

Adding a description should be simple because we already add this info to RPMs and there should be an existing variable for it {{.beat_description}}. Upper casing the display name would be nice too.

1 Like
3

Hi andrew, thanks for the reply... im never used github before, ill give it a try after i get my ELK implementation working on my Lab PC, I need something neat to show and sell the idea to my bosses...the security team uses Qradar but i hate that thing with the white hot intensity of a thousand suns XD

regards

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.