Ming-der Wang
ming@log4analytics.com
winlogbeat -> ( Elasticsearch -> Kibana )
安裝 Winlogbeat 1.3.1 for ELK 4x
(for ELK 5x 版, 安裝 5.0.0)
.\install-service-winlogbeat.ps1
設定檔
winlogbeat.event_logs: - name: Application - name: Security - name: System output.elasticsearch: hosts: - <ELK_IP_NAME>:9200 logging.to_files: true logging.files: path: C:/ProgramData/winlogbeat/Logs logging.level: info
winlogbeat -c winlogbeat.yml
winlogbeat.yml 範例,可以在 gist下載
Start-Service winlogbeat
winlogbeat -> ( Logstash -> Elasticsearch -> Kibana )
PS C:\Program Files\Winlogbeat> Get-EventLog *
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
20,480 0 OverwriteAsNeeded 3,024 Application
20,480 0 OverwriteAsNeeded 0 HardwareEvents
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
20,480 0 OverwriteAsNeeded 5,179 Security
20,480 0 OverwriteAsNeeded 3,684 System
15,360 0 OverwriteAsNeeded 157 Windows PowerShell
PS C:\Program Files\Winlogbeat> ./winlogbeat.exe -c ./winlogbeat.yml
winlogbeat-*