1、windows主机上winlogbeat配置
# ======================== Winlogbeat inputs =========================
winlogbeat.event_logs:
# 1. 应用程序日志
- name: Application
ignore_older: 72h
# 2. 系统日志
- name: System
ignore_older: 72h
# 3. 安全日志
- name: Security
ignore_older: 72h
# 【重要建议】安全日志量极大,建议只采集关键事件ID,否则容易撑爆存储
# event_id: 4624, 4625, 4634, 4647, 4672, 4688, 4689, 4720, 4726
# ======================== Processors =========================
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
# ======================== Outputs =========================
# 禁用 Elasticsearch 输出
# output.elasticsearch:
# hosts: ["localhost:9200"]
# 启用 Logstash 输出
output.logstash:
hosts: ["10.10.xxx.xx:5044"] # 使用你之前提供的 Logstash 地址
compression_level: 3
loadbalance: true
bulk_max_size: 2048
# ======================== Logging =========================
logging.level: info
logging.to_files: true
logging.files:
path: C:\ProgramData\winlogbeat\logs
name: winlogbeat.log
keepfiles: 72、logstash配置文件
放入新建的pipeline目录里
[root@elk-lo-node03 pipeline]# cat windows-winlogbeat-log.conf
input {
beats {
port => 5045 #目录下多个conf文件的话,端口要修改,不要冲突
tags => ["windows-input"]
}
}
output {
elasticsearch {
hosts => ["https://10.10.xxx.xx:9200"]
index => "logs-app-windows-%{+yyyy.MM.dd}"
user => "elastic"
password => "JcJv*xxxxxxxxxxxx"
ssl_certificate_verification => false
}
stdout {
codec => rubydebug
}
}3、pipeline目录下新增conf文件后,要同步修改pipelines.yml
[root@elk-lo-node03 config]# pwd
/opt/logstash/config
[root@elk-lo-node03 config]# ll
total 48
-rw-r--r-- 1 root root 2924 Apr 1 17:49 jvm.options
-rw-r--r-- 1 root root 8680 Apr 1 17:49 log4j2.properties
-rw-r--r-- 1 root root 502 Jun 4 14:37 logstash.conf
-rw-r--r-- 1 root root 342 Apr 1 17:49 logstash-sample.conf
-rw-r--r-- 1 root root 15745 Apr 1 17:49 logstash.yml
drwxr-xr-x 2 root root 98 Jun 16 15:12 pipeline
-rw-r--r-- 1 root root 794 Jun 16 15:14 pipelines.yml
-rw-r--r-- 1 root root 1696 Apr 1 17:49 startup.options
[root@elk-lo-node03 config]# ll pipeline
total 12
-rw-r--r-- 1 root root 750 Jun 4 16:01 beats-elk-log.conf
-rw-r--r-- 1 root root 359 Jun 16 15:03 network-device-log.conf
-rw-r--r-- 1 root root 360 Jun 16 09:53 windows-winlogbeat-log.conf
[root@elk-lo-node03 config]# cat pipelines.yml
- pipeline.id: beats-elk-log #接收filebeat日志
path.config: "config/pipeline/beats-elk-log.conf"
pipeline.workers: 2
pipeline.batch.size: 125
pipeline.batch.delay: 50
queue.type: persisted
queue.max_bytes: 1gb
queue.checkpoint.acks: 1024
queue.drain: false
- pipeline.id: windows-winlogbeat-log #接收winlogbeat日志
path.config: "config/pipeline/windows-winlogbeat-log.conf"
pipeline.workers: 2
pipeline.batch.size: 125
pipeline.batch.delay: 50
queue.type: persisted
queue.max_bytes: 1gb
queue.checkpoint.acks: 1024
queue.drain: false
- pipeline.id: network-device-log #接收防火墙等网络设备日志
path.config: "config/pipeline/network-device-log.conf
pipeline.workers: 2
pipeline.batch.size: 125
pipeline.batch.delay: 50
queue.type: persisted
queue.max_bytes: 1gb
queue.checkpoint.acks: 1024
queue.drain: false