From f611302830151dcde8ae15e95ff033b866e133cd Mon Sep 17 00:00:00 2001 From: neu5ron Date: Fri, 22 Feb 2019 03:12:13 -0500 Subject: [PATCH] only keep enabled winlogbeat configuration parameters for readability - as discussed. --- winlogbeat/winlogbeat.yml | 122 ++------------------------------------ 1 file changed, 5 insertions(+), 117 deletions(-) diff --git a/winlogbeat/winlogbeat.yml b/winlogbeat/winlogbeat.yml index 667f15b..88dcef2 100644 --- a/winlogbeat/winlogbeat.yml +++ b/winlogbeat/winlogbeat.yml @@ -1,22 +1,8 @@ -###################### Winlogbeat Configuration Example ########################## - -# This file is an example configuration file highlighting only the most common -# options. The winlogbeat.reference.yml file from the same directory contains all the -# supported options with more comments. You can use it as a reference. -# -# You can find the full configuration reference here: -# https://www.elastic.co/guide/en/beats/winlogbeat/index.html +# For simplicity/brevity we have only included the enabled options necessary for sending windows logs to HELK +# Please visit the Elastic documentation for the complete details of each option and full reference config +# https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-reference-yml.html #======================= Winlogbeat specific options ========================== - -# event_logs specifies a list of event logs to monitor as well as any -# accompanying options. The YAML data type of event_logs is a list of -# dictionaries. -# -# The supported keys are name (required), tags, fields, fields_under_root, -# forwarded, ignore_older, level, event_id, provider, and include_xml. Please -# visit the documentation for the complete details of each option. -# https://go.es.io/WinlogbeatConfig winlogbeat.event_logs: - name: Application ignore_older: 30m @@ -35,111 +21,13 @@ winlogbeat.event_logs: - name: Microsoft-Windows-WMI-Activity/Operational event_id: 5857,5858,5859,5860,5861 -#==================== Elasticsearch template setting ========================== - -#setup.template.settings: -# index.number_of_shards: 3 - #index.codec: best_compression - #_source.enabled: false - -#================================ General ===================================== - -# The name of the shipper that publishes the network data. It can be used to group -# all the transactions sent by a single shipper in the web interface. -#name: - -# The tags of the shipper are included in their own field with each -# transaction published. -#tags: ["service-X", "web-tier"] - -# Optional fields that you can specify to add additional information to the -# output. -#fields: -# env: staging - - -#============================== Dashboards ===================================== -# These settings control loading the sample dashboards to the Kibana index. Loading -# the dashboards is disabled by default and can be enabled either by setting the -# options here, or by using the `-setup` CLI flag or the `setup` command. -#setup.dashboards.enabled: false - -# The URL from where to download the dashboards archive. By default this URL -# has a value which is computed based on the Beat name and version. For released -# versions, this URL points to the dashboard archive on the artifacts.elastic.co -# website. -#setup.dashboards.url: - -#============================== Kibana ===================================== - -# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. -# This requires a Kibana endpoint configuration. -#setup.kibana: - - # Kibana Host - # Scheme and port can be left out and will be set to the default (http and 5601) - # In case you specify and additional path, the scheme is required: http://localhost:5601/path - # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 - #host: "localhost:5601" - -#============================= Elastic Cloud ================================== - -# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/). - -# The cloud.id setting overwrites the `output.elasticsearch.hosts` and -# `setup.kibana.host` options. -# You can find the `cloud.id` in the Elastic Cloud web UI. -#cloud.id: - -# The cloud.auth setting overwrites the `output.elasticsearch.username` and -# `output.elasticsearch.password` settings. The format is `:`. -#cloud.auth: - -#================================ Outputs ===================================== - -# Configure what output to use when sending the data collected by the beat. - -#-------------------------- Elasticsearch output ------------------------------ -#output.elasticsearch: - # Array of hosts to connect to. -# hosts: ["localhost:9200"] - - # Optional protocol and basic auth credentials. - #protocol: "https" - #username: "elastic" - #password: "changeme" - -#----------------------------- Logstash output -------------------------------- -#output.logstash: - # The Logstash hosts - #hosts: ["localhost:5044"] - - # Optional SSL. By default is off. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client Certificate Key - #ssl.key: "/etc/pki/client/cert.key" - #----------------------------- Kafka output -------------------------------- output.kafka: # initial brokers for reading cluster metadata + # Place your HELK IP(s) here (keep the port). + # If you only have one Kafka instance (default for HELK) then remove the 2nd IP that has port 9093 hosts: [":9092",":9093"] topic: "winlogbeat" ############################# HELK Optimizing Latency ###################### max_retries: 2 max_message_bytes: 1000000 - -#================================ Logging ===================================== - -# Sets log level. The default log level is info. -# Available log levels are: critical, error, warning, info, debug -#logging.level: debug - -# At debug level, you can selectively enable logging only for some components. -# To enable all selectors use ["*"]. Examples of other selectors are "beat", -# "publish", "service". -#logging.selectors: ["*"]