Configure Winlogbeat
Before you begin, you’ll need: Winlogbeat 8, Winlogbeat 7, or Winlogbeat 6.
Download the Logz.io public certificate
Download the
Logz.io public certificate
to C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt
on your machine.
Configure Windows input
If you’re working with the default configuration file,
(C:\Program Files\Winlogbeat\winlogbeat.yml)
clear the content and start with a fresh file.
Paste this code block.
Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Security
- name: System
fields:
logzio_codec: json
token: <<LOG-SHIPPING-TOKEN>>
type: wineventlog
fields_under_root: true
If you’re running Winlogbeat 7 or 8, paste this code block. Otherwise, you can leave it out.
# ... For Winlogbeat 7 and 8 only ...
processors:
- rename:
fields:
- from: "agent"
to: "beat_agent"
ignore_missing: true
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true
- rename:
fields:
- from: "log"
to: "log_information"
ignore_missing: true
Set Logz.io as the output
If Logz.io isn’t the output, set it now.
Winlogbeat can have one output only, so remove any other output entries.
Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
output.logstash:
hosts: ["<<LISTENER-HOST>>:5015"]
ssl:
certificate_authorities: ['C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt']
Restart Winlogbeat
Open PowerShell as an admin and run this command:
Restart-Service winlogbeat
If you’re starting Winlogbeat, and haven’t configured it as a service yet, refer to Winlogbeat documentation.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards.
If you still don’t see your logs, see log shipping troubleshooting.
Configure NXLog
Before you begin, you’ll need: NXLog
Configure NXLog basics
Copy this code into your configuration file (C:\Program Files (x86)\nxlog\conf\nxlog.conf by default).
define ROOT C:\\Program Files (x86)\\nxlog
define ROOT_STRING C:\\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log
<Extension charconv>
Module xm_charconv
AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2
</Extension>
For information on parsing multi-line messages, see this from NXLog.
Add Windows as an input
Add an Input block to append your account token to log records.
Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.
<Input eventlog>
# For Windows Vista/2008 and later, set Module to `im_msvistalog`. For
# Windows XP/2000/2003, set to `im_mseventlog`.
Module im_msvistalog
Exec if $raw_event =~ /^#/ drop();
Exec convert_fields("AUTO", "utf-8");
Exec $raw_event = '[<<LOG-SHIPPING-TOKEN>>][type=wineventlog]' + $raw_event;
</Input>
Set Logz.io as the output
Add the Logz.io listener in the Output block.
Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
<Output out>
Module om_tcp
Host <<LISTENER-HOST>>
Port 8010
</Output>
<Route 1>
Path eventlog => out
</Route>
Restart NXLog
Open PowerShell as an admin and run this command:
Restart-Service nxlog
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards.