Download the Logz.io certificate
Download the Logz.io public certificate to your machine.
We’ll place the certificate in
C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt for this example.
Configure Windows applications as an input
In the Winlogbeat configuration file (C:\Program Files\Winlogbeat\winlogbeat.yml by default), add these code block to the root level.
<<SHIPPING-TOKEN>> with the token of the account you want to ship to.
# ... winlogbeat.event_logs: - name: Application ignore_older: 72h - name: Security - name: System fields: logzio_codec: json # Your Logz.io account token. You can find your token at # https://app.logz.io/#/dashboard/settings/manage-accounts token: <<SHIPPING-TOKEN>> type: wineventlog fields_under_root: true
If you’re running Winlogbeat 7, paste this code block. Otherwise, you can leave it out.
# ... For Winlogbeat 7 only ... processors: - rename: fields: - from: "agent" to: "beat_agent" ignore_missing: true - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true - rename: fields: - from: "log" to: "log_information" ignore_missing: true
Add Logz.io as an output
If Logz.io is not an output in the Winlogbeat configuration file (C:\Program Files\Winlogbeat\winlogbeat.yml by default), add it now.
<<LISTENER-HOST>> with your region’s listener host (for example,
listener.logz.io). For more information on finding your account’s region, see Account region.
# ... output.logstash: hosts: ["<<LISTENER-HOST>>:5015"] ssl: certificate_authorities: ['C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt']
Remove remaining default blocks
setup.template.settings blocks are still in the configuration file, remove them.
# Remove this block if it's still in the config file setup.template.settings: index.number_of_shards: 3
# Remove this block if it's still in the config file output.elasticsearch: hosts: ["localhost:9200"]
PS C:\Program Files\Winlogbeat> Restart-Service winlogbeat
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Kibana.
If you still don’t see your logs, see log shipping troubleshooting.