Я пытаюсь настроить winlogbeat для отправки журналов в ELK. Конфигурация winlogbeat:
winlogbeat.event_logs:
- name: Security
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- name: System
tags: ["winsrv"]
output.logstash:
hosts: ["192.168.1.1:5050"]
logging.level: info
logging.to_files: true
logging.files:
path: ${path.home}/logs
name: winlogbeat
keepfiles: 7
xpack.monitoring:
enabled: true
elasticsearch:
hosts: ["localhost:9200"]
migration.6_to_7.enabled: true
winlogbeat не отправлять log_name , event_id , et c (оттуда: https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-eventlog.html ). Пытаюсь изменить migration.6_to_7.enabled на migration.6_to_7.enable - ничего не произошло. Хорошо, winlogbeat отправляет log_name как winlog.channel , event_id как winlog.event_id , и я пытаюсь создать это правило в logsta sh:
output {
if "winsrv" in [tags] and [winlog.channel] == "Security" {
elasticsearch {
hosts => "localhost:9200"
index => "winsrv-winsecurity-%{+YYYY.MM.dd}"
}
} else if "winsrv" in [tags] and [winlog.channel] == "System" {
elasticsearch {
hosts => "localhost:9200"
index => "winsrv-winsystem-%{+YYYY.MM.dd}"
}
} else if "winsrv" in [tags] {
elasticsearch {
hosts => "localhost:9200"
index => "winsrv-winlogbeat-%{+YYYY.MM.dd}"
}
}
else {
elasticsearch {
hosts => "localhost:9200"
index => "other-%{+YYYY.MM.dd}"
}
}
}
но logsta sh отправляет журналы в elasticsearch как winsrv-winlogbeat- [date]