Beats - winlogbeat
优质
小牛编辑
124浏览
2023-12-01
winlogbeat 通过标准的 windows API 获取 windows 系统日志,常见的有 application,hardware,security 和 system 四类。winlogbeat 示例配置如下:
winlogbeat.event_logs:
- name: Application
provider:
- Application Error
- Application Hang
- Windows Error Reporting
- EMET
- name: Security
level: critical, error, warning
event_id: 4624, 4625, 4700-4800, -4735
- name: System
ignore_older: 168h
- name: Microsoft-Windows-Windows Defender/Operational
include_xml: true
output.elasticsearch:
hosts:
- localhost:9200
pipeline: "windows-pipeline-id"
logging.to_files: true
logging.files:
path: C:/ProgramData/winlogbeat/Logs
logging.level: info
和其他 beat 一样,这里示例的配置不都是必填项。事实上只有 event_logs.name
是必须的。而 winlogbeat 的输出字段中,除了 beats 家族的通用内容外,还包括一下特有字段:
- activity_id
- computer_name:如果运行在 Windows 事件转发模式,这个值会和 beat.hostname 不一样。
- event_data
- event_id
- keywords
- log_name
- level:可选值包括 Success, Information, Warning, Error, Audit Success, and Audit Failure.
- message
- message_error
- record_number
- related_activity_id
- opcode
- provider_guid
- process_id
- source_name
- task
- thread_id
- user_data
- user.identifier
- user.name
- user.domain
- user.type
- version
- xml