winlogbeat用於收集windows的系統事件日志;

官網安裝方法:https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html

收集並寫入elasticsearch配置實例:

winlogbeat.event_logs:
  - name: Security
    ignore_older: 24h
    event_id: 4624, 4625,4626,4627
    tags: ["Security_205"]
    fields:
      type: "Security_205"
      log_topic: "Security_205"
    fields_under_root: true
#修改默認的elasticsearch索引; 特別注意index中不能出現大寫字母,否則會無法入es中
output.elasticsearch.index: "security_205-%{+yyyy.MM.dd}"
setup.template.name: "security_205"
setup.template.pattern: "security_205-*"
output.elasticsearch:
  hosts: ["10.10.5.78:9200","10.10.5.79:9200","10.10.5.80:9200"]
#使用官方的dashboard,當elasticsearch默認修改時,setup.dashboards.index也要進行修改
setup.dashboards.enabled: true
setup.dashboards.index: "security_205-*"
setup.kibana:
  host: "10.10.5.109:5601"

logging.to_files: true
logging.files:
  path: C:\Program Files\WinlogBeat\log
logging.level: info

參數說明:

- name:設定收集系統事件的日志類型;

ignore_older:設定多久以前的日志不進行收集;在初次配置時十分有效;

event_id:設定收集的事件id,默認為收集所有的事件日志;

logging.to_files:開啟日志相關的配置;當輸output無法連接時,會暫時寫入logging相關的配置中;

注:寫入elasticsearch時,會啟用默認的索引名字為winlogbeat-*;要修改為自己需要的名字

收集並寫入kafka相關配置:

winlogbeat.event_logs:
  - name: Security
    ignore_older: 24h
    event_id: 4624, 4625,4626,4627
    tags: ["Security_205"]
    fields:
      type: "Security_205"
      log_topic: "Security_205"
    fields_under_root: true

output.kafka:
  enabled: true
  hosts: ["10.78.1.85:9092","10.78.1.87:9092","10.78.1.71:9092"]
  topic: "%{[log_topic]}"
  partition.round_robin:
    reachable_only: true
  worker: 2
  required_acks: 1
  compression: gzip
  max_message_bytes: 10000000

setup.dashboards.enabled: true
setup.dashboards.index: "security_205-*"
setup.kibana:
  host: "10.10.5.109:5601"

logging.to_files: true
logging.files:
  path: C:\Program Files\WinlogBeat\log
logging.level: info