Skip to content

Instantly share code, notes, and snippets.

@andrewkroh

andrewkroh/winlogbeat_testing.md

Last active January 25, 2019 15:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save andrewkroh/d79b42230b928d5f9e7ae76a18a65177 to your computer and use it in GitHub Desktop.
Save andrewkroh/d79b42230b928d5f9e7ae76a18a65177 to your computer and use it in GitHub Desktop.
Download ZIP
Winlogbeat Development
Raw
winlogbeat_testing.md

Winlogbeat Development

Start a Windows VM

vagrant up win2012

Login Options

You can connect to the VM in multiple ways.

  • Microsoft Remote Desktop (available in Mac App Store)
  • SSH
  • VirtualBox Console

Remote Desktop

Connect to 127.0.0.1:33389 with vagrant/vagrant.

SSH

vagrant ssh-config win2012 > ssh-config
echo '  HostKeyAlgorithms +ssh-dss' >> ssh-config
ssh -F ssh-config win2012
powershell

VirtualBox

Open VirtualBox, Click Show on VM

Testing

On the host machine (not Windows) update the generated files.

make update

There are two types of tests -- Go unit tests and Python unit tests. Neither require any external services like Elasticsearch.

cd $Env:GOPATH/src/github.com/elastic/beats/winlogbeat

Unit Test

go test -v ./...

Python Unit Tests

go test -c
nosetests.exe -v tests\system

Building winlogbeat.exe

go build

Running Winlogbeat

Clear registry file.

To make tests repeatable you will want to delete the state persisted by Winlogbeat.

rm .\data\.winlogbeat.yml

Output Events to JSON File

.\winlogbeat.exe -c winlogbeat.yml -e -d eventlog -E output.elasticsearch.enabled=false -E output.file.path=output -E output.file.filename=events.json

Output to Elasticsearch

If you have Elasticsearch running on the VirtualBox host machine you can access it at 10.0.2.2.

.\winlogbeat.exe -c winlogbeat.yml -e -d eventlog -E "output.elasticsearch.hosts=[http://10.0.2.2:9200]"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment