winlogbeat.yml default config
| ###################### Winlogbeat Configuration Example ######################## | |
| # This file is an example configuration file highlighting only the most common | |
| # options. The winlogbeat.reference.yml file from the same directory contains | |
| # all the supported options with more comments. You can use it as a reference. | |
| # | |
| # You can find the full configuration reference here: | |
| # https://www.elastic.co/guide/en/beats/winlogbeat/index.html | |
| #======================= Winlogbeat specific options =========================== | |
| # event_logs specifies a list of event logs to monitor as well as any | |
| # accompanying options. The YAML data type of event_logs is a list of | |
| # dictionaries. | |
| # | |
| # The supported keys are name (required), tags, fields, fields_under_root, | |
| # forwarded, ignore_older, level, event_id, provider, and include_xml. Please | |
| # visit the documentation for the complete details of each option. | |
| # https://go.es.io/WinlogbeatConfig | |
| winlogbeat.event_logs: | |
| - name: Application | |
| ignore_older: 72h | |
| - name: Security | |
| ignore_older: 72h | |
| - name: System | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-Sysmon/Operational | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-Windows Defender/Operational | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-RemoteApp and Desktop Connections/Admin | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Admin | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-TerminalServices-PnPDevices/Admin | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-TerminalServices-Printers/Admin | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-VerifyHardwareSecurity/Admin | |
| ignore_older: 72h | |
| fields: | |
| logzio_codec: json | |
| token: YOURTOKEN_PLACEHOLDER | |
| type: wineventlog | |
| fields_under_root: true | |
| #==================== Elasticsearch template settings ========================== | |
| setup.template.settings: | |
| index.number_of_shards: 1 | |
| #index.codec: best_compression | |
| #_source.enabled: false | |
| #================================ General ===================================== | |
| # The name of the shipper that publishes the network data. It can be used to group | |
| # all the transactions sent by a single shipper in the web interface. | |
| #name: | |
| # The tags of the shipper are included in their own field with each | |
| # transaction published. | |
| #tags: ["service-X", "web-tier"] | |
| # Optional fields that you can specify to add additional information to the | |
| # output. | |
| #fields: | |
| # env: staging | |
| #============================== Dashboards ===================================== | |
| # These settings control loading the sample dashboards to the Kibana index. Loading | |
| # the dashboards is disabled by default and can be enabled either by setting the | |
| # options here or by using the `setup` command. | |
| #setup.dashboards.enabled: false | |
| # The URL from where to download the dashboards archive. By default this URL | |
| # has a value which is computed based on the Beat name and version. For released | |
| # versions, this URL points to the dashboard archive on the artifacts.elastic.co | |
| # website. | |
| #setup.dashboards.url: | |
| #============================== Kibana ===================================== | |
| # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. | |
| # This requires a Kibana endpoint configuration. | |
| setup.kibana: | |
| # Kibana Host | |
| # Scheme and port can be left out and will be set to the default (http and 5601) | |
| # In case you specify and additional path, the scheme is required: http://localhost:5601/path | |
| # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 | |
| #host: "localhost:5601" | |
| # Kibana Space ID | |
| # ID of the Kibana Space into which the dashboards should be loaded. By default, | |
| # the Default Space will be used. | |
| #space.id: | |
| #============================= Elastic Cloud ================================== | |
| # These settings simplify using Winlogbeat with the Elastic Cloud (https://cloud.elastic.co/). | |
| # The cloud.id setting overwrites the `output.elasticsearch.hosts` and | |
| # `setup.kibana.host` options. | |
| # You can find the `cloud.id` in the Elastic Cloud web UI. | |
| #cloud.id: | |
| # The cloud.auth setting overwrites the `output.elasticsearch.username` and | |
| # `output.elasticsearch.password` settings. The format is `<user>:<pass>`. | |
| #cloud.auth: | |
| #================================ Outputs ===================================== | |
| # Configure what output to use when sending the data collected by the beat. | |
| #-------------------------- Elasticsearch output ------------------------------ | |
| #output.elasticsearch: | |
| # Array of hosts to connect to. | |
| # hosts: [""] | |
| # password: "" | |
| # Protocol - either `http` (default) or `https`. | |
| #protocol: "https" | |
| # Authentication credentials - either API key or username/password. | |
| #api_key: "id:api_key" | |
| #username: "elastic" | |
| #password: "changeme" | |
| #----------------------------- Logstash output -------------------------------- | |
| #output.logstash: | |
| # The Logstash hosts | |
| #hosts: ["localhost:5044"] | |
| output.logstash: | |
| hosts: ["listener.logz.io:5015"] | |
| ssl: | |
| certificate_authorities: ['C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt'] | |
| # Optional SSL. By default is off. | |
| # List of root certificates for HTTPS server verifications | |
| #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] | |
| # Certificate for SSL client authentication | |
| #ssl.certificate: "/etc/pki/client/cert.pem" | |
| # Client Certificate Key | |
| #ssl.key: "/etc/pki/client/cert.key" | |
| #================================ Processors ===================================== | |
| # Configure processors to enhance or manipulate events generated by the beat. | |
| # ... For Winlogbeat 7 only ... | |
| processors: | |
| - rename: | |
| fields: | |
| - from: "agent" | |
| to: "beat_agent" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "log.file.path" | |
| to: "source" | |
| ignore_missing: true | |
| - rename: | |
| fields: | |
| - from: "log" | |
| to: "log_information" | |
| ignore_missing: true | |
| #================================ Logging ===================================== | |
| # Sets log level. The default log level is info. | |
| # Available log levels are: error, warning, info, debug | |
| #logging.level: debug | |
| # At debug level, you can selectively enable logging only for some components. | |
| # To enable all selectors use ["*"]. Examples of other selectors are "beat", | |
| # "publish", "service". | |
| #logging.selectors: ["*"] | |
| #============================== X-Pack Monitoring =============================== | |
| # winlogbeat can export internal metrics to a central Elasticsearch monitoring | |
| # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The | |
| # reporting is disabled by default. | |
| # Set to true to enable the monitoring reporter. | |
| #monitoring.enabled: false | |
| # Sets the UUID of the Elasticsearch cluster under which monitoring data for this | |
| # Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch | |
| # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. | |
| #monitoring.cluster_uuid: | |
| # Uncomment to send the metrics to Elasticsearch. Most settings from the | |
| # Elasticsearch output are accepted here as well. | |
| # Note that the settings should point to your Elasticsearch *monitoring* cluster. | |
| # Any setting that is not set is automatically inherited from the Elasticsearch | |
| # output configuration, so if you have the Elasticsearch output configured such | |
| # that it is pointing to your Elasticsearch monitoring cluster, you can simply | |
| # uncomment the following line. | |
| #monitoring.elasticsearch: | |
| #================================= Migration ================================== | |
| # This allows to enable 6.7 migration aliases | |
| #migration.6_to_7.enabled: true | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment