github-mirrors/logstash
1
0
Fork 0
mirror of https://github.com/elastic/logstash.git synced 2025-06-28 09:46:03 -04:00
Code Issues Projects Releases Packages Wiki Activity
logstash/docs/reference/working-with-winlogbeat-modules.md
Colleen McGinnis 24fd2a6c75
clean up cross-repo links (#17190)
2025-03-03 12:37:47 -05:00

3.4 KiB
Raw Blame History

mapped_pages
https://www.elastic.co/guide/en/logstash/current/winlogbeat-modules.html

Working with Winlogbeat modules [winlogbeat-modules]

{{winlogbeat}} comes packaged with pre-built modules that contain the configurations needed to collect, parse, enrich, and visualize data from various Windows logging providers. Each {{winlogbeat}} module consists of one or more filesets that contain ingest node pipelines, {{es}} templates, {{winlogbeat}} input configurations, and {{kib}} dashboards.

You can use {{winlogbeat}} modules with {{ls}}, but you need to do some extra setup. The simplest approach is to set up and use the ingest pipelines provided by {{winlogbeat}}.

Use ingest pipelines for parsing [use-winlogbeat-ingest-pipelines]

When you use {{winlogbeat}} modules with {{ls}}, you can use the ingest pipelines provided by {{winlogbeat}} to parse the data. You need to load the pipelines into {{es}} and configure {{ls}} to use them.

To load the ingest pipelines:

On the system where {{winlogbeat}} is installed, run the setup command with the --pipelines option specified to load ingest pipelines for specific modules. For example, the following command loads ingest pipelines for the security and sysmon modules:

winlogbeat setup --pipelines --modules security,sysmon

A connection to {{es}} is required for this setup step because {{winlogbeat}} needs to load the ingest pipelines into {{es}}. If necessary, you can temporarily disable your configured output and enable the {{es}} output before running the command.

To configure {{ls}} to use the pipelines:

On the system where {{ls}} is installed, create a {{ls}} pipeline configuration that reads from a {{ls}} input, such as {{beats}} or Kafka, and sends events to an {{es}} output. Set the pipeline option in the {{es}} output to %{[@metadata][pipeline]} to use the ingest pipelines that you loaded previously.

Heres an example configuration that reads data from the Beats input and uses {{winlogbeat}} ingest pipelines to parse data collected by modules:

input {
  beats {
    port => 5044
  }
}

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => "https://061ab24010a2482e9d64729fdb0fd93a.us-east-1.aws.found.io:9243"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1>
      action => "create" <2>
      pipeline => "%{[@metadata][pipeline]}" <3>
      user => "elastic"
      password => "secret"
    }
  } else {
    elasticsearch {
      hosts => "https://061ab24010a2482e9d64729fdb0fd93a.us-east-1.aws.found.io:9243"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1>
      action => "create"
      user => "elastic"
      password => "secret"
    }
  }
}
  1. If data streams are disabled in your configuration, set the index option to %{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}. Data streams are enabled by default.
  2. If you are disabling the use of Data Streams on your configuration, you can remove this setting, or set it to a different value as appropriate.
  3. Configures {{ls}} to select the correct ingest pipeline based on metadata passed in the event.

See the {{winlogbeat}} Modules documentation for more information about setting up and running modules.