· 6 years ago · Nov 22, 2019, 09:08 PM
1###################### Winlogbeat Configuration Example ##########################
2
3# This file is an example configuration file highlighting only the most common
4# options. The winlogbeat.reference.yml file from the same directory contains all the
5# supported options with more comments. You can use it as a reference.
6#
7# You can find the full configuration reference here:
8# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
9
10#======================= Winlogbeat specific options ==========================
11
12# event_logs specifies a list of event logs to monitor as well as any
13# accompanying options. The YAML data type of event_logs is a list of
14# dictionaries.
15#
16# The supported keys are name (required), tags, fields, fields_under_root,
17# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
18# visit the documentation for the complete details of each option.
19# https://go.es.io/WinlogbeatConfig
20winlogbeat.event_logs:
21 - name: ForwardedEvents
22 forwarded: true
23
24winlogbeat.registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
25
26queue.spool:
27 file:
28 path: "${path.data}/spool.dat"
29 size: 512MiB
30 page_size: 16KiB
31 write:
32 buffer_size: 10MiB
33 flush.timeout: 5s
34 flush.events: 1024
35
36#==================== Elasticsearch template setting ==========================
37
38setup.template.settings:
39 index.number_of_shards: 2
40 #index.codec: best_compression
41 #_source.enabled: false
42
43#================================ General =====================================
44
45# The name of the shipper that publishes the network data. It can be used to group
46# all the transactions sent by a single shipper in the web interface.
47name: NMSC-DEPLOY.NORTHWESTMI.LOCAL
48
49# The tags of the shipper are included in their own field with each
50# transaction published.
51#tags: ["service-X", "web-tier"]
52
53# Optional fields that you can specify to add additional information to the
54# output.
55fields:
56 customer: "CRSC"
57# env: staging
58
59
60
61#============================== Dashboards =====================================
62# These settings control loading the sample dashboards to the Kibana index. Loading
63# the dashboards is disabled by default and can be enabled either by setting the
64# options here or by using the `setup` command.
65setup.dashboards.enabled: true
66
67# The URL from where to download the dashboards archive. By default this URL
68# has a value which is computed based on the Beat name and version. For released
69# versions, this URL points to the dashboard archive on the artifacts.elastic.co
70# website.
71#setup.dashboards.url:
72
73#============================== Kibana =====================================
74
75# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
76# This requires a Kibana endpoint configuration.
77setup.kibana:
78
79 # Kibana Host
80 # Scheme and port can be left out and will be set to the default (http and 5601)
81 # In case you specify and additional path, the scheme is required: http://localhost:5601/path
82 # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
83 host: "https://ebbf551150b34449ad9574077b0d6b23.us-east-1.aws.found.io:9243"
84
85 # Kibana Space ID
86 # ID of the Kibana Space into which the dashboards should be loaded. By default,
87 # the Default Space will be used.
88 #space.id:
89
90#============================= Elastic Cloud ==================================
91
92# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).
93
94# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
95# `setup.kibana.host` options.
96# You can find the `cloud.id` in the Elastic Cloud web UI.
97cloud.id: "Event_Log_Collector:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyQ0ZmMwNmQ5MWY4NjY0NWQwOWFjZjRlYTlmOWFlNTU1MSRlYmJmNTUxMTUwYjM0NDQ5YWQ5NTc0MDc3YjBkNmIyMw=="
98
99# The cloud.auth setting overwrites the `output.elasticsearch.username` and
100# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
101cloud.auth: "elastic:aCKg0frBVpjEfSq63wneQysA"
102
103#================================ Outputs =====================================
104
105# Configure what output to use when sending the data collected by the beat.
106
107#-------------------------- Elasticsearch output ------------------------------
108output.elasticsearch:
109 # Array of hosts to connect to.
110 hosts: ["localhost:9200"]
111
112 # Optional protocol and basic auth credentials.
113 #protocol: "https"
114 #username: "elastic"
115 #password: "changeme"
116
117#----------------------------- Logstash output --------------------------------
118#output.logstash:
119 # The Logstash hosts
120 #hosts: ["localhost:5044"]
121
122 # Optional SSL. By default is off.
123 # List of root certificates for HTTPS server verifications
124 #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
125
126 # Certificate for SSL client authentication
127 #ssl.certificate: "/etc/pki/client/cert.pem"
128
129 # Client Certificate Key
130 #ssl.key: "/etc/pki/client/cert.key"
131
132#================================ Processors =====================================
133
134# Configure processors to enhance or manipulate events generated by the beat.
135
136processors:
137 - add_host_metadata: ~
138 - add_cloud_metadata: ~
139
140#================================ Logging =====================================
141
142# Sets log level. The default log level is info.
143# Available log levels are: error, warning, info, debug
144#logging.level: debug
145
146# At debug level, you can selectively enable logging only for some components.
147# To enable all selectors use ["*"]. Examples of other selectors are "beat",
148# "publish", "service".
149#logging.selectors: ["*"]
150
151#============================== Xpack Monitoring ===============================
152# winlogbeat can export internal metrics to a central Elasticsearch monitoring
153# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
154# reporting is disabled by default.
155
156# Set to true to enable the monitoring reporter.
157xpack.monitoring.enabled: true
158
159# Uncomment to send the metrics to Elasticsearch. Most settings from the
160# Elasticsearch output are accepted here as well. Any setting that is not set is
161# automatically inherited from the Elasticsearch output configuration, so if you
162# have the Elasticsearch output configured, you can simply uncomment the
163# following line.
164xpack.monitoring.elasticsearch:
165
166#================================= Migration ==================================
167
168# This allows to enable 6.7 migration aliases
169migration.6_to_7.enabled: false