mirror of https://github.com/infosecn1nja/HELK.git
38 lines
1.6 KiB
YAML
38 lines
1.6 KiB
YAML
# Please use version 6.x of Winlogbeat. Currently we are tracking issues in the latest version of Winlogbeat >= 7.x
|
|
# You can download the supported version of Winlogbeat here:
|
|
# https://www.elastic.co/downloads/past-releases/winlogbeat-6-7-1
|
|
|
|
# For simplicity/brevity we have only included the enabled options necessary for sending windows logs to HELK
|
|
# Please visit the Elastic documentation for the complete details of each option and full reference config
|
|
# https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-reference-yml.html
|
|
|
|
#======================= Winlogbeat specific options ==========================
|
|
winlogbeat.event_logs:
|
|
- name: Application
|
|
ignore_older: 30m
|
|
- name: Security
|
|
ignore_older: 30m
|
|
- name: System
|
|
ignore_older: 30m
|
|
- name: Microsoft-windows-sysmon/operational
|
|
ignore_older: 30m
|
|
- name: Microsoft-windows-PowerShell/Operational
|
|
ignore_older: 30m
|
|
event_id: 4103, 4104
|
|
- name: Windows PowerShell
|
|
event_id: 400,600
|
|
ignore_older: 30m
|
|
- name: Microsoft-Windows-WMI-Activity/Operational
|
|
event_id: 5857,5858,5859,5860,5861
|
|
|
|
#----------------------------- Kafka output --------------------------------
|
|
output.kafka:
|
|
# initial brokers for reading cluster metadata
|
|
# Place your HELK IP(s) here (keep the port).
|
|
# If you only have one Kafka instance (default for HELK) then remove the 2nd IP that has port 9093
|
|
hosts: ["<HELK-IP>:9092","<HELK-IP>:9093"]
|
|
topic: "winlogbeat"
|
|
############################# HELK Optimizing Latency ######################
|
|
max_retries: 2
|
|
max_message_bytes: 1000000
|