176 lines
6.4 KiB
Text
176 lines
6.4 KiB
Text
|
[[winlogbeat-getting-started]]
|
|||
|
|
== Getting Started With Winlogbeat
|
|||
|
|
|
|||
|
|
include::../../libbeat/docs/shared-getting-started-intro.asciidoc[]
|
|||
|
|
|
|||
|
|
* <<winlogbeat-installation>>
|
|||
|
|
* <<winlogbeat-configuration>>
|
|||
|
|
* <<config-winlogbeat-logstash>>
|
|||
|
|
* <<winlogbeat-template>>
|
|||
|
|
* <<load-kibana-dashboards>>
|
|||
|
|
* <<winlogbeat-starting>>
|
|||
|
|
* <<view-kibana-dashboards>>
|
|||
|
|
|
|||
|
|
[[winlogbeat-installation]]
|
|||
|
|
=== Step 1: Install Winlogbeat
|
|||
|
|
|
|||
|
|
*Before you begin*: If you haven't installed the {stack}, do that now. See
|
|||
|
|
{stack-gs}/get-started-elastic-stack.html[Getting started with the {stack}].
|
|||
|
|
|
|||
|
|
. Download the Winlogbeat zip file from the
|
|||
|
|
https://www.elastic.co/downloads/beats/winlogbeat[downloads page].
|
|||
|
|
. Extract the contents into `C:\Program Files`.
|
|||
|
|
. Rename the `winlogbeat-<version>` directory to `Winlogbeat`.
|
|||
|
|
. Open a PowerShell prompt as an Administrator (right-click on the PowerShell
|
|||
|
|
icon and select Run As Administrator).
|
|||
|
|
. From the PowerShell prompt, run the following commands to install the service.
|
|||
|
|
|
|||
|
|
["source","sh",subs="attributes,callouts"]
|
|||
|
|
------------------------------------------------
|
|||
|
|
PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'
|
|||
|
|
PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
|
|||
|
|
|
|||
|
|
Security warning
|
|||
|
|
Run only scripts that you trust. While scripts from the internet can be useful,
|
|||
|
|
this script can potentially harm your computer. If you trust this script, use
|
|||
|
|
the Unblock-File cmdlet to allow the script to run without this warning message.
|
|||
|
|
Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1?
|
|||
|
|
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R
|
|||
|
|
|
|||
|
|
Status Name DisplayName
|
|||
|
|
------ ---- -----------
|
|||
|
|
Stopped winlogbeat winlogbeat
|
|||
|
|
------------------------------------------------
|
|||
|
|
|
|||
|
|
NOTE: If script execution is disabled on your system, you need to set the
|
|||
|
|
execution policy for the current session to allow the script to run. For example:
|
|||
|
|
`PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1`.
|
|||
|
|
|
|||
|
|
Before starting Winlogbeat, you should look at the configuration options in the
|
|||
|
|
configuration file, for example `C:\Program Files\Winlogbeat\winlogbeat.yml`.
|
|||
|
|
There’s also a full example configuration file called `winlogbeat.reference.yml` that
|
|||
|
|
shows all non-deprecated options. For more information about these options, see
|
|||
|
|
<<configuring-howto-winlogbeat>>.
|
|||
|
|
|
|||
|
|
[[winlogbeat-configuration]]
|
|||
|
|
=== Step 2: Configure Winlogbeat
|
|||
|
|
|
|||
|
|
To configure Winlogbeat, you edit the `winlogbeat.yml` configuration file. See the
|
|||
|
|
{libbeat}/config-file-format.html[Config File Format] section of the
|
|||
|
|
_Beats Platform Reference_ for more about the structure of the config file.
|
|||
|
|
|
|||
|
|
Here is a sample of the `winlogbeat.yml` file:
|
|||
|
|
|
|||
|
|
[source,yaml]
|
|||
|
|
--------------------------------------------------------------------------------
|
|||
|
|
winlogbeat.event_logs:
|
|||
|
|
- name: Application
|
|||
|
|
- name: Security
|
|||
|
|
- name: System
|
|||
|
|
|
|||
|
|
output.elasticsearch:
|
|||
|
|
hosts:
|
|||
|
|
- localhost:9200
|
|||
|
|
|
|||
|
|
logging.to_files: true
|
|||
|
|
logging.files:
|
|||
|
|
path: C:/ProgramData/winlogbeat/Logs
|
|||
|
|
logging.level: info
|
|||
|
|
--------------------------------------------------------------------------------
|
|||
|
|
|
|||
|
|
To configure Winlogbeat:
|
|||
|
|
|
|||
|
|
. In the `event_logs` section, specify the event logs that you want to monitor.
|
|||
|
|
By default, Winlogbeat is set to monitor application, security, and system logs:
|
|||
|
|
+
|
|||
|
|
[source,yaml]
|
|||
|
|
----------------------------------------------------------------------
|
|||
|
|
winlogbeat.event_logs:
|
|||
|
|
- name: Application
|
|||
|
|
- name: Security
|
|||
|
|
- name: System
|
|||
|
|
----------------------------------------------------------------------
|
|||
|
|
+
|
|||
|
|
To obtain a list of available event logs, run `Get-EventLog *` in PowerShell.
|
|||
|
|
For more information about this command, see the configuration details for
|
|||
|
|
<<configuration-winlogbeat-options-event_logs-name,event_logs.name>>.
|
|||
|
|
|
|||
|
|
include::../../libbeat/docs/step-configure-output.asciidoc[]
|
|||
|
|
|
|||
|
|
include::../../libbeat/docs/step-configure-kibana-endpoint.asciidoc[]
|
|||
|
|
|
|||
|
|
include::../../libbeat/docs/step-configure-credentials.asciidoc[]
|
|||
|
|
|
|||
|
|
. After you save your configuration file, test it with the following command.
|
|||
|
|
+
|
|||
|
|
[source,shell]
|
|||
|
|
----------------------------------------------------------------------
|
|||
|
|
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
|
|||
|
|
----------------------------------------------------------------------
|
|||
|
|
|
|||
|
|
[[config-winlogbeat-logstash]]
|
|||
|
|
=== Step 3: Configure Winlogbeat to use Logstash
|
|||
|
|
|
|||
|
|
:win:
|
|||
|
|
include::../../libbeat/docs/shared-logstash-config.asciidoc[]
|
|||
|
|
|
|||
|
|
[[winlogbeat-template]]
|
|||
|
|
=== Step 4: Load the index template in Elasticsearch
|
|||
|
|
|
|||
|
|
include::../../libbeat/docs/shared-template-load.asciidoc[]
|
|||
|
|
|
|||
|
|
[[load-kibana-dashboards]]
|
|||
|
|
=== Step 5: Set up the Kibana dashboards
|
|||
|
|
|
|||
|
|
:win:
|
|||
|
|
include::../../libbeat/docs/dashboards.asciidoc[]
|
|||
|
|
|
|||
|
|
[[winlogbeat-starting]]
|
|||
|
|
=== Step 6: Start Winlogbeat
|
|||
|
|
|
|||
|
|
Start the Winlogbeat service with the following command. If you are accessing a
|
|||
|
|
secured Elasticsearch cluster, make sure you've configured credentials as
|
|||
|
|
described in <<{beatname_lc}-configuration>>.
|
|||
|
|
|
|||
|
|
[source,shell]
|
|||
|
|
----------------------------------------------------------------------
|
|||
|
|
PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
|
|||
|
|
----------------------------------------------------------------------
|
|||
|
|
|
|||
|
|
Winlogbeat should now be running. If you used the configuration described here,
|
|||
|
|
then you can view the log file at `C:\ProgramData\winlogbeat\Logs\winlogbeat`.
|
|||
|
|
|
|||
|
|
You can view the status of the service and control it from the Services
|
|||
|
|
management console in Windows. To launch the management console, run
|
|||
|
|
this command:
|
|||
|
|
|
|||
|
|
[source,shell]
|
|||
|
|
----------------------------------------------------------------------
|
|||
|
|
PS C:\Program Files\Winlogbeat> services.msc
|
|||
|
|
----------------------------------------------------------------------
|
|||
|
|
|
|||
|
|
|
|||
|
|
==== Stop Winlogbeat
|
|||
|
|
|
|||
|
|
Stop the Winlogbeat service with the following command:
|
|||
|
|
|
|||
|
|
[source,shell]
|
|||
|
|
----------------------------------------------------------------------
|
|||
|
|
PS C:\Program Files\Winlogbeat> Stop-Service winlogbeat
|
|||
|
|
----------------------------------------------------------------------
|
|||
|
|
|
|||
|
|
[[view-kibana-dashboards]]
|
|||
|
|
=== Step 7: View the sample Kibana dashboards
|
|||
|
|
|
|||
|
|
To make it easier for you to start monitoring your servers in Kibana, we have
|
|||
|
|
created example {beatname_uc} dashboards. You loaded the dashboards earlier
|
|||
|
|
when you ran the `setup` command.
|
|||
|
|
|
|||
|
|
include::../../libbeat/docs/opendashboards.asciidoc[]
|
|||
|
|
|
|||
|
|
The dashboards are provided as examples. We recommend that you
|
|||
|
|
{kibana-ref}/dashboard.html[customize] them to meet your needs.
|
|||
|
|
|
|||
|
|
[role="screenshot"]
|
|||
|
|
image:./images/winlogbeat-dashboard.png[Winlogbeat statistics]
|