ELK通过winlogbeat收集windows系统日志并转发给logstash配置文件

1、windows主机上winlogbeat配置

# ======================== Winlogbeat inputs ========================= winlogbeat.event_logs: # 1. 应用程序日志 - name: Application ignore_older: 72h # 2. 系统日志 - name: System ignore_older: 72h # 3. 安全日志 - name: Security ignore_older: 72h # 【重要建议】安全日志量极大，建议只采集关键事件ID，否则容易撑爆存储 # event_id: 4624, 4625, 4634, 4647, 4672, 4688, 4689, 4720, 4726 # ======================== Processors ========================= processors: - add_host_metadata: ~ - add_cloud_metadata: ~ # ======================== Outputs ========================= # 禁用 Elasticsearch 输出 # output.elasticsearch: # hosts: ["localhost:9200"] # 启用 Logstash 输出 output.logstash: hosts: ["10.10.xxx.xx:5044"] # 使用你之前提供的 Logstash 地址 compression_level: 3 loadbalance: true bulk_max_size: 2048 # ======================== Logging ========================= logging.level: info logging.to_files: true logging.files: path: C:\ProgramData\winlogbeat\logs name: winlogbeat.log keepfiles: 7

2、logstash配置文件

放入新建的pipeline目录里 [root@elk-lo-node03 pipeline]# cat windows-winlogbeat-log.conf input { beats { port => 5045 #目录下多个conf文件的话，端口要修改，不要冲突 tags => ["windows-input"] } } output { elasticsearch { hosts => ["https://10.10.xxx.xx:9200"] index => "logs-app-windows-%{+yyyy.MM.dd}" user => "elastic" password => "JcJv*xxxxxxxxxxxx" ssl_certificate_verification => false } stdout { codec => rubydebug } }

3、pipeline目录下新增conf文件后，要同步修改pipelines.yml

[root@elk-lo-node03 config]# pwd /opt/logstash/config [root@elk-lo-node03 config]# ll total 48 -rw-r--r-- 1 root root 2924 Apr 1 17:49 jvm.options -rw-r--r-- 1 root root 8680 Apr 1 17:49 log4j2.properties -rw-r--r-- 1 root root 502 Jun 4 14:37 logstash.conf -rw-r--r-- 1 root root 342 Apr 1 17:49 logstash-sample.conf -rw-r--r-- 1 root root 15745 Apr 1 17:49 logstash.yml drwxr-xr-x 2 root root 98 Jun 16 15:12 pipeline -rw-r--r-- 1 root root 794 Jun 16 15:14 pipelines.yml -rw-r--r-- 1 root root 1696 Apr 1 17:49 startup.options [root@elk-lo-node03 config]# ll pipeline total 12 -rw-r--r-- 1 root root 750 Jun 4 16:01 beats-elk-log.conf -rw-r--r-- 1 root root 359 Jun 16 15:03 network-device-log.conf -rw-r--r-- 1 root root 360 Jun 16 09:53 windows-winlogbeat-log.conf [root@elk-lo-node03 config]# cat pipelines.yml - pipeline.id: beats-elk-log #接收filebeat日志 path.config: "config/pipeline/beats-elk-log.conf" pipeline.workers: 2 pipeline.batch.size: 125 pipeline.batch.delay: 50 queue.type: persisted queue.max_bytes: 1gb queue.checkpoint.acks: 1024 queue.drain: false - pipeline.id: windows-winlogbeat-log #接收winlogbeat日志 path.config: "config/pipeline/windows-winlogbeat-log.conf" pipeline.workers: 2 pipeline.batch.size: 125 pipeline.batch.delay: 50 queue.type: persisted queue.max_bytes: 1gb queue.checkpoint.acks: 1024 queue.drain: false - pipeline.id: network-device-log #接收防火墙等网络设备日志 path.config: "config/pipeline/network-device-log.conf pipeline.workers: 2 pipeline.batch.size: 125 pipeline.batch.delay: 50 queue.type: persisted queue.max_bytes: 1gb queue.checkpoint.acks: 1024 queue.drain: false