winlogbeat用于收集windows的系统事件日志;

官网安装方法:https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html

收集并写入elasticsearch配置实例:

winlogbeat.event_logs:
  - name: Security
    ignore_older: 24h
    event_id: 4624, 4625,4626,4627
    tags: ["Security_205"]
    fields:
      type: "Security_205"
      log_topic: "Security_205"
    fields_under_root: true
#修改默认的elasticsearch索引; 特别注意index中不能出现大写字母,否则会无法入es中
output.elasticsearch.index: "security_205-%{+yyyy.MM.dd}"
setup.template.name: "security_205"
setup.template.pattern: "security_205-*"
output.elasticsearch:
  hosts: ["10.10.5.78:9200","10.10.5.79:9200","10.10.5.80:9200"]
#使用官方的dashboard,当elasticsearch默认修改时,setup.dashboards.index也要进行修改
setup.dashboards.enabled: true
setup.dashboards.index: "security_205-*"
setup.kibana:
  host: "10.10.5.109:5601"

logging.to_files: true
logging.files:
  path: C:Program FilesWinlogBeatlog
logging.level: info

参数说明:

- name:设定收集系统事件的日志类型;

ignore_older:设定多久以前的日志不进行收集;在初次配置时十分有效;

event_id:设定收集的事件id,默认为收集所有的事件日志;

logging.to_files:开启日志相关的配置;当输output无法连接时,会暂时写入logging相关的配置中;

注:写入elasticsearch时,会启用默认的索引名字为winlogbeat-*;要修改为自己需要的名字

收集并写入kafka相关配置:

winlogbeat.event_logs:
  - name: Security
    ignore_older: 24h
    event_id: 4624, 4625,4626,4627
    tags: ["Security_205"]
    fields:
      type: "Security_205"
      log_topic: "Security_205"
    fields_under_root: true

output.kafka:
  enabled: true
  hosts: ["10.78.1.85:9092","10.78.1.87:9092","10.78.1.71:9092"]
  topic: "%{[log_topic]}"
  partition.round_robin:
    reachable_only: true
  worker: 2
  required_acks: 1
  compression: gzip
  max_message_bytes: 10000000

setup.dashboards.enabled: true
setup.dashboards.index: "security_205-*"
setup.kibana:
  host: "10.10.5.109:5601"

logging.to_files: true
logging.files:
  path: C:Program FilesWinlogBeatlog
logging.level: info