29 lines
1 KiB
Text
29 lines
1 KiB
Text
|
== Winlogbeat Overview
|
||
|
|
||
|
++++
|
||
|
<titleabbrev>Overview</titleabbrev>
|
||
|
++++
|
||
|
|
||
|
Winlogbeat ships Windows event logs to Elasticsearch or Logstash. You can
|
||
|
install it as a Windows service.
|
||
|
|
||
|
Winlogbeat reads from one or more event logs using Windows APIs, filters the
|
||
|
events based on user-configured criteria, then sends the event data to the
|
||
|
configured outputs (Elasticsearch or Logstash). Winlogbeat watches the event
|
||
|
logs so that new event data is sent in a timely manner. The read position for
|
||
|
each event log is persisted to disk to allow Winlogbeat to resume after
|
||
|
restarts.
|
||
|
|
||
|
Winlogbeat can capture event data from any event logs running on your system.
|
||
|
For example, you can capture events such as:
|
||
|
|
||
|
* application events
|
||
|
* hardware events
|
||
|
* security events
|
||
|
* system events
|
||
|
|
||
|
Winlogbeat is a https://www.elastic.co/products/beats[Beat], and it is based on
|
||
|
the libbeat framework. General information about libbeat and how to
|
||
|
set up Elasticsearch, Logstash, and Kibana are covered in the
|
||
|
{libbeat}/index.html[Beats Platform Reference].
|