```` ###################### Winlogbeat Configuration Example ########################## # This file is an example configuration file highlighting only the most common # options. The winlogbeat.full.yml file from the same directory contains all the # supported options with more comments. You can use it as a reference. # # You can find the full configuration reference here: # https://www.elastic.co/guide/en/beats/winlogbeat/index.html #======================= Winlogbeat specific options ========================== # event_logs specifies a list of event logs to monitor as well as any # accompanying options. The YAML data type of event_logs is a list of # dictionaries. # # The supported keys are name (required), tags, fields, fields_under_root, # forwarded, ignore_older, level, event_id, provider, and include_xml. Please # visit the documentation for the complete details of each option. # https://go.es.io/WinlogbeatConfig # winlogbeat.event_logs: # - name: Application # ignore_older: 72h # - name: Security # - name: System winlogbeat.event_logs: - name: Application level: critical, error, warning ignore_older: 30m - name: Security level: critical, error, warning ignore_older: 30m - name: System level: critical, error, warning ignore_older: 30m # - name: Microsoft-windows-sysmon/operational # ignore_older: 30m # - name: Microsoft-windows-PowerShell/Operational # ignore_older: 30m # event_id: 4103, 4104 # - name: Windows PowerShell # event_id: 400,600 # ignore_older: 30m # - name: Microsoft-Windows-WMI-Activity/Operational # event_id: 5857,5858,5859,5860,5861 #================================ General ===================================== # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. #name: # The tags of the shipper are included in their own field with each # transaction published. #tags: ["service-X", "web-tier"] # Optional fields that you can specify to add additional information to the # output. #fields: # env: staging #================================ Outputs ===================================== # Configure what outputs to use when sending the data collected by the beat. # Multiple outputs may be used. #-------------------------- Elasticsearch output ------------------------------ # output.elasticsearch: # # Array of hosts to connect to. # hosts: ["localhost:9200"] output.kafka: hosts: ["xxxxxx:9092","xxxxxx:9092"] topic: "topic-winlogbeat" max_retries: 2 max_message_bytes: 1000000 # Optional protocol and basic auth credentials. #protocol: "https" #username: "elastic" #password: "changeme" #----------------------------- Logstash output -------------------------------- #output.logstash: # The Logstash hosts #hosts: ["localhost:5044"] # Optional SSL. By default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" # Client Certificate Key #ssl.key: "/etc/pki/client/cert.key" #================================ Logging ===================================== # Sets log level. The default log level is info. # Available log levels are: critical, error, warning, info, debug #logging.level: debug # At debug level, you can selectively enable logging only for some components. # To enable all selectors use ["*"]. Examples of other selectors are "beat", # "publish", "service". #logging.selectors: ["*"] logging: to_files: true files: path: C:\ProgramData\winlogbeat\logs rotateeverybytes: 10485760 level: info ````