Download Beats for Windows
這邊以 7.12 版為例子,並列舉三個比較常用的 beats,並下載
- winlogbeat (例子)
- filebeat
- metricbeat
https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.12.0-windows-x86_64.zip
https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.12.0-windows-x86_64.zip
https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.12.0-windows-x86_64.zip
可以將其下載後,並置入 C:ProgramFiles 下
Install as Service
以系統管理員身份開啟 Powershell 並進入到 beats 目錄中,並開始安裝:
PowerShell.exe -ExecutionPolicy UnRestricted -File .install-service-winlogbeat.psl
PowerShell.exe -ExecutionPolicy UnRestricted -File .install-service-metricbeat.psl
PowerShell.exe -ExecutionPolicy UnRestricted -File .install-service-filebeat.psl
Winlogbeat Setting
打開 YML 檔,預設已設定收取的 Log:
可以用以下指令查詢額外要收取的 Log 名稱,並增加該項目於 yml 檔:
Get-WinEvent -ListLog * | Format-List -Property LogName
例如要抓取 TerminalService 的相關 Log:
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
預防太舊的資料送進 ES 儲存,記得每個項目都要過濾掉太舊的資料:
- name: Security
ignore_older: 72h
Filebeat Setting
- 將 enable 改為 true
- 調整要收取的檔案路徑
The Same Setting
beats 預設會將資料直接送進 ES,可以調整成送往 Logstash 做進一步處理 (擇一):
#output.elasticsearch:
#hosts: ["192.168.101.18:9200"]
output.logstash:
hosts: ["192.168.101.18:5044"]
啟動服務
net start winlogbeat
我們可以透過 Service.msc 查看是否有 winlogbeat 以確認安裝成功,並將啟動類型調整為自動
Remove Beats
cd C:ProgramFileswinlogbeat
net stop winlogbeat
Powershell.exe -file uninstall-service-winlogbeat.psl
cd C:ProgramFilesmetricbeat
net stop metricbeat
Powershell.exe -file uninstall-service-metricbeat.psl
cd C:ProgramFilesfilebeat
net stop filebeat
Powershell.exe -file uninstall-service-filebeat.psl
有任何問題,或是想看新主題?
聯絡我們
