Winlogbeat

1. ###############################################################################
2. ############################# Winlogbeat ######################################
3. winlogbeat:
4. # The registry file is where Winlogbeat persists its state so that the beat
5. # can resume after shutdown or an outage. The default is .winlogbeat.yaml
6. # in the directory in which it was started.
7. registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yaml
8.  
9. # List of event logs to monitor.
10. #
11. # Optionally, ignore_older may be specified to filter events that are older
12. # then the specified amount of time. If omitted then no filtering will
13. # occur. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
14. event_logs:
15. - name: Application
16. ignore_older: 72h
17. - name: Security
18. - name: System
19.  
20. # Diagnostic metrics that can retrieved through a web interface if a
21. # bindaddress value (host:port) is specified. The web address will be
22. # http://<bindaddress>/debug/vars
23. #metrics:
24. # bindaddress: 'localhost:8123'
25.  
26. ###############################################################################
27. ############################# Libbeat Config ##################################
28. # Base config file used by all other beats for using libbeat features
29.  
30. ############################# Output ##########################################
31.  
32. # Configure what outputs to use when sending the data collected by the beat.
33. # Multiple outputs may be used.
34. output:
35.  
36. ### Elasticsearch as output
37. #elasticsearch:
38. # Array of hosts to connect to.
39. # Scheme and port can be left out and will be set to the default (http and 9200)
40. # In case you specify and additional path, the scheme is required: http://localhost:9200/path
41. # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
42. #hosts: ["localhost:9200"]
43.  
44. # Optional protocol and basic auth credentials.
45. #protocol: "https"
46. #username: "admin"
47. #password: "s3cr3t"
48.  
49. # Number of workers per Elasticsearch host.
50. #worker: 1
51.  
52. # Optional index name. The default is "winlogbeat" and generates
53. # [winlogbeat-]YYYY.MM.DD keys.
54. #index: "winlogbeat"
55.  
56. # Optional HTTP Path
57. #path: "/elasticsearch"
58.  
59. # Proxy server url
60. #proxy_url: http://proxy:3128
61.  
62. # The number of times a particular Elasticsearch index operation is attempted. If
63. # the indexing operation doesn't succeed after this many retries, the events are
64. # dropped. The default is 3.
65. #max_retries: 3
66.  
67. # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
68. # The default is 50.
69. #bulk_max_size: 50
70.  
71. # Configure http request timeout before failing an request to Elasticsearch.
72. #timeout: 90
73.  
74. # The number of seconds to wait for new events between two bulk API index requests.
75. # If `bulk_max_size` is reached before this interval expires, addition bulk index
76. # requests are made.
77. #flush_interval: 1
78.  
79. # Boolean that sets if the topology is kept in Elasticsearch. The default is
80. # false. This option makes sense only for Packetbeat.
81. #save_topology: false
82.  
83. # The time to live in seconds for the topology information that is stored in
84. # Elasticsearch. The default is 15 seconds.
85. #topology_expire: 15
86.  
87. # tls configuration. By default is off.
88. #tls:
89. # List of root certificates for HTTPS server verifications
90. #certificate_authorities: ["/etc/pki/root/ca.pem"]
91.  
92. # Certificate for TLS client authentication
93. #certificate: "/etc/pki/client/cert.pem"
94.  
95. # Client Certificate Key
96. #certificate_key: "/etc/pki/client/cert.key"
97.  
98. # Controls whether the client verifies server certificates and host name.
99. # If insecure is set to true, all server host names and certificates will be
100. # accepted. In this mode TLS based connections are susceptible to
101. # man-in-the-middle attacks. Use only for testing.
102. #insecure: true
103.  
104. # Configure cipher suites to be used for TLS connections
105. #cipher_suites: []
106.  
107. # Configure curve types for ECDHE based cipher suites
108. #curve_types: []
109.  
110. # Configure minimum TLS version allowed for connection to logstash
111. #min_version: 1.0
112.  
113. # Configure maximum TLS version allowed for connection to logstash
114. #max_version: 1.2
115.  
116.  
117. ### Logstash as output
118. logstash:
119. # The Logstash hosts
120. hosts: ["10.1.11.178:5044", "10.1.11.179:5044"]
121.  
122. # Number of workers per Logstash host.
123. worker: 6
124.  
125. # Optional load balance the events between the Logstash hosts
126. loadbalance: true
127.  
128. # Optional index name. The default index name depends on the each beat.
129. # For Packetbeat, the default is set to packetbeat, for Topbeat
130. # top topbeat and for Filebeat to filebeat.
131. # chu y thay ten he thong bang ten he thong cua minhf
132. # Vi du lync thi se la "wb-lync"
133. index: wb-mail
134.  
135. # Optional TLS. By default is off.
136. #tls:
137. # List of root certificates for HTTPS server verifications
138. #certificate_authorities: ["/etc/pki/root/ca.pem"]
139.  
140. # Certificate for TLS client authentication
141. #certificate: "/etc/pki/client/cert.pem"
142.  
143. # Client Certificate Key
144. #certificate_key: "/etc/pki/client/cert.key"
145.  
146. # Controls whether the client verifies server certificates and host name.
147. # If insecure is set to true, all server host names and certificates will be
148. # accepted. In this mode TLS based connections are susceptible to
149. # man-in-the-middle attacks. Use only for testing.
150. #insecure: true
151.  
152. # Configure cipher suites to be used for TLS connections
153. #cipher_suites: []
154.  
155. # Configure curve types for ECDHE based cipher suites
156. #curve_types: []
157.  
158.  
159. ### File as output
160. #file:
161. # Path to the directory where to save the generated files. The option is mandatory.
162. #path: "/tmp/winlogbeat"
163.  
164. # Name of the generated files. The default is `winlogbeat` and it generates files: `winlogbeat`, `winlogbeat.1`, `winlogbeat.2`, etc.
165. #filename: winlogbeat
166.  
167. # Maximum size in kilobytes of each file. When this size is reached, the files are
168. # rotated. The default value is 10 MB.
169. #rotate_every_kb: 10000
170.  
171. # Maximum number of files under path. When this number of files is reached, the
172. # oldest file is deleted and the rest are shifted from last to first. The default
173. # is 7 files.
174. #number_of_files: 7
175.  
176.  
177. ### Console output
178. # console:
179. # Pretty print json event
180. #pretty: false
181.  
182.  
183. ############################# Shipper #########################################
184.  
185. shipper:
186. # The name of the shipper that publishes the network data. It can be used to group
187. # all the transactions sent by a single shipper in the web interface.
188. # If this options is not defined, the hostname is used.
189. #name:
190.  
191. # The tags of the shipper are included in their own field with each
192. # transaction published. Tags make it easy to group servers by different
193. # logical properties.
194. #tags: ["service-X", "web-tier"]
195.  
196. # Uncomment the following if you want to ignore transactions created
197. # by the server on which the shipper is installed. This option is useful
198. # to remove duplicates if shippers are installed on multiple servers.
199. #ignore_outgoing: true
200.  
201. # How often (in seconds) shippers are publishing their IPs to the topology map.
202. # The default is 10 seconds.
203. #refresh_topology_freq: 10
204.  
205. # Expiration time (in seconds) of the IPs published by a shipper to the topology map.
206. # All the IPs will be deleted afterwards. Note, that the value must be higher than
207. # refresh_topology_freq. The default is 15 seconds.
208. #topology_expire: 15
209.  
210. # Configure local GeoIP database support.
211. # If no paths are not configured geoip is disabled.
212. #geoip:
213. #paths:
214. # - "/usr/share/GeoIP/GeoLiteCity.dat"
215. # - "/usr/local/var/GeoIP/GeoLiteCity.dat"
216.  
217.  
218. ############################# Logging #########################################
219.  
220. # There are three options for the log ouput: syslog, file, stderr.
221. # Under Windos systems, the log files are per default sent to the file output,
222. # under all other system per default to syslog.
223. logging:
224.  
225. # Send all logging output to syslog. On Windows default is false, otherwise
226. # default is true.
227. #to_syslog: true
228.  
229. # Write all logging output to files. Beats automatically rotate files if rotateeverybytes
230. # limit is reached.
231. to_files: true
232.  
233. # To enable logging to files, to_files option has to be set to true
234. files:
235. # The directory where the log files will written to.
236. path: C:/ProgramData/winlogbeat/Logs
237.  
238. # The name of the files where the logs are written to.
239. #name: mybeat
240.  
241. # Configure log file size limit. If limit is reached, log file will be
242. # automatically rotated
243. rotateeverybytes: 10485760 # = 10MB
244.  
245. # Number of rotated log files to keep. Oldest files will be deleted first.
246. #keepfiles: 7
247.  
248. # Enable debug output for selected components. To enable all selectors use ["*"]
249. # Other available selectors are beat, publish, service
250. # Multiple selectors can be chained.
251. #selectors: [ ]
252.  
253. # Sets log level. The default log level is error.
254. # Available log levels are: critical, error, warning, info, debug
255. level: info