175 lines
6.4 KiB
Text
175 lines
6.4 KiB
Text
[[winlogbeat-getting-started]]
|
||
== Getting Started With Winlogbeat
|
||
|
||
include::../../libbeat/docs/shared-getting-started-intro.asciidoc[]
|
||
|
||
* <<winlogbeat-installation>>
|
||
* <<winlogbeat-configuration>>
|
||
* <<config-winlogbeat-logstash>>
|
||
* <<winlogbeat-template>>
|
||
* <<load-kibana-dashboards>>
|
||
* <<winlogbeat-starting>>
|
||
* <<view-kibana-dashboards>>
|
||
|
||
[[winlogbeat-installation]]
|
||
=== Step 1: Install Winlogbeat
|
||
|
||
*Before you begin*: If you haven't installed the {stack}, do that now. See
|
||
{stack-gs}/get-started-elastic-stack.html[Getting started with the {stack}].
|
||
|
||
. Download the Winlogbeat zip file from the
|
||
https://www.elastic.co/downloads/beats/winlogbeat[downloads page].
|
||
. Extract the contents into `C:\Program Files`.
|
||
. Rename the `winlogbeat-<version>` directory to `Winlogbeat`.
|
||
. Open a PowerShell prompt as an Administrator (right-click on the PowerShell
|
||
icon and select Run As Administrator).
|
||
. From the PowerShell prompt, run the following commands to install the service.
|
||
|
||
["source","sh",subs="attributes,callouts"]
|
||
------------------------------------------------
|
||
PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'
|
||
PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
|
||
|
||
Security warning
|
||
Run only scripts that you trust. While scripts from the internet can be useful,
|
||
this script can potentially harm your computer. If you trust this script, use
|
||
the Unblock-File cmdlet to allow the script to run without this warning message.
|
||
Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1?
|
||
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R
|
||
|
||
Status Name DisplayName
|
||
------ ---- -----------
|
||
Stopped winlogbeat winlogbeat
|
||
------------------------------------------------
|
||
|
||
NOTE: If script execution is disabled on your system, you need to set the
|
||
execution policy for the current session to allow the script to run. For example:
|
||
`PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1`.
|
||
|
||
Before starting Winlogbeat, you should look at the configuration options in the
|
||
configuration file, for example `C:\Program Files\Winlogbeat\winlogbeat.yml`.
|
||
There’s also a full example configuration file called `winlogbeat.reference.yml` that
|
||
shows all non-deprecated options. For more information about these options, see
|
||
<<configuring-howto-winlogbeat>>.
|
||
|
||
[[winlogbeat-configuration]]
|
||
=== Step 2: Configure Winlogbeat
|
||
|
||
To configure Winlogbeat, you edit the `winlogbeat.yml` configuration file. See the
|
||
{libbeat}/config-file-format.html[Config File Format] section of the
|
||
_Beats Platform Reference_ for more about the structure of the config file.
|
||
|
||
Here is a sample of the `winlogbeat.yml` file:
|
||
|
||
[source,yaml]
|
||
--------------------------------------------------------------------------------
|
||
winlogbeat.event_logs:
|
||
- name: Application
|
||
- name: Security
|
||
- name: System
|
||
|
||
output.elasticsearch:
|
||
hosts:
|
||
- localhost:9200
|
||
|
||
logging.to_files: true
|
||
logging.files:
|
||
path: C:/ProgramData/winlogbeat/Logs
|
||
logging.level: info
|
||
--------------------------------------------------------------------------------
|
||
|
||
To configure Winlogbeat:
|
||
|
||
. In the `event_logs` section, specify the event logs that you want to monitor.
|
||
By default, Winlogbeat is set to monitor application, security, and system logs:
|
||
+
|
||
[source,yaml]
|
||
----------------------------------------------------------------------
|
||
winlogbeat.event_logs:
|
||
- name: Application
|
||
- name: Security
|
||
- name: System
|
||
----------------------------------------------------------------------
|
||
+
|
||
To obtain a list of available event logs, run `Get-EventLog *` in PowerShell.
|
||
For more information about this command, see the configuration details for
|
||
<<configuration-winlogbeat-options-event_logs-name,event_logs.name>>.
|
||
|
||
include::../../libbeat/docs/step-configure-output.asciidoc[]
|
||
|
||
include::../../libbeat/docs/step-configure-kibana-endpoint.asciidoc[]
|
||
|
||
include::../../libbeat/docs/step-configure-credentials.asciidoc[]
|
||
|
||
. After you save your configuration file, test it with the following command.
|
||
+
|
||
[source,shell]
|
||
----------------------------------------------------------------------
|
||
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
|
||
----------------------------------------------------------------------
|
||
|
||
[[config-winlogbeat-logstash]]
|
||
=== Step 3: Configure Winlogbeat to use Logstash
|
||
|
||
:win:
|
||
include::../../libbeat/docs/shared-logstash-config.asciidoc[]
|
||
|
||
[[winlogbeat-template]]
|
||
=== Step 4: Load the index template in Elasticsearch
|
||
|
||
include::../../libbeat/docs/shared-template-load.asciidoc[]
|
||
|
||
[[load-kibana-dashboards]]
|
||
=== Step 5: Set up the Kibana dashboards
|
||
|
||
:win:
|
||
include::../../libbeat/docs/dashboards.asciidoc[]
|
||
|
||
[[winlogbeat-starting]]
|
||
=== Step 6: Start Winlogbeat
|
||
|
||
Start the Winlogbeat service with the following command. If you are accessing a
|
||
secured Elasticsearch cluster, make sure you've configured credentials as
|
||
described in <<{beatname_lc}-configuration>>.
|
||
|
||
[source,shell]
|
||
----------------------------------------------------------------------
|
||
PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
|
||
----------------------------------------------------------------------
|
||
|
||
Winlogbeat should now be running. If you used the configuration described here,
|
||
then you can view the log file at `C:\ProgramData\winlogbeat\Logs\winlogbeat`.
|
||
|
||
You can view the status of the service and control it from the Services
|
||
management console in Windows. To launch the management console, run
|
||
this command:
|
||
|
||
[source,shell]
|
||
----------------------------------------------------------------------
|
||
PS C:\Program Files\Winlogbeat> services.msc
|
||
----------------------------------------------------------------------
|
||
|
||
|
||
==== Stop Winlogbeat
|
||
|
||
Stop the Winlogbeat service with the following command:
|
||
|
||
[source,shell]
|
||
----------------------------------------------------------------------
|
||
PS C:\Program Files\Winlogbeat> Stop-Service winlogbeat
|
||
----------------------------------------------------------------------
|
||
|
||
[[view-kibana-dashboards]]
|
||
=== Step 7: View the sample Kibana dashboards
|
||
|
||
To make it easier for you to start monitoring your servers in Kibana, we have
|
||
created example {beatname_uc} dashboards. You loaded the dashboards earlier
|
||
when you ran the `setup` command.
|
||
|
||
include::../../libbeat/docs/opendashboards.asciidoc[]
|
||
|
||
The dashboards are provided as examples. We recommend that you
|
||
{kibana-ref}/dashboard.html[customize] them to meet your needs.
|
||
|
||
[role="screenshot"]
|
||
image:./images/winlogbeat-dashboard.png[Winlogbeat statistics]
|