winlogbeat-收集windows事件日誌並啟用預設模板、dashboard相關配置
阿新 • • 發佈:2021-06-21
winlogbeat用於收集windows的系統事件日誌;
官網安裝方法:https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html
收集並寫入elasticsearch配置例項:
winlogbeat.event_logs: -name:Security ignore_older:24h event_id:4624,4625,4626,4627 tags:["Security_205"] fields: type:"Security_205" log_topic:"Security_205" fields_under_root:true #修改預設的elasticsearch索引;特別注意index中不能出現大寫字母,否則會無法入es中 output.elasticsearch.index:"security_205-%{+yyyy.MM.dd}" setup.template.name:"security_205" setup.template.pattern:"security_205-*" output.elasticsearch: hosts:["10.10.5.78:9200","10.10.5.79:9200","10.10.5.80:9200"] #使用官方的dashboard,當elasticsearch預設修改時,setup.dashboards.index也要進行修改 setup.dashboards.enabled:true setup.dashboards.index:"security_205-*" setup.kibana: host:"10.10.5.109:5601" logging.to_files:true logging.files: path:C:\ProgramFiles\WinlogBeat\log logging.level:info
引數說明:
- name:設定收集系統事件的日誌型別;
ignore_older:設定多久以前的日誌不進行收集;在初次配置時十分有效;
event_id:設定收集的事件id,預設為收集所有的事件日誌;
logging.to_files:開啟日誌相關的配置;當輸output無法連線時,會暫時寫入logging相關的配置中;
注:寫入elasticsearch時,會啟用預設的索引名字為winlogbeat-*;要修改為自己需要的名字
收集並寫入kafka相關配置:
winlogbeat.event_logs: -name:Security ignore_older:24h event_id:4624,4625,4626,4627 tags:["Security_205"] fields: type:"Security_205" log_topic:"Security_205" fields_under_root:true output.kafka: enabled:true hosts:["10.78.1.85:9092","10.78.1.87:9092","10.78.1.71:9092"] topic:"%{[log_topic]}" partition.round_robin: reachable_only:true worker:2 required_acks:1 compression:gzip max_message_bytes:10000000 setup.dashboards.enabled:true setup.dashboards.index:"security_205-*" setup.kibana: host:"10.10.5.109:5601" logging.to_files:true logging.files: path:C:\ProgramFiles\WinlogBeat\log logging.level:info
轉載於:https://blog.51cto.com/liuzhengwei521/2362169