Configuration

Before you begin, you’ll need: Winlogbeat 7.0.0 or Winlogbeat 6

Download the Logz.io certificate

Download the Logz.io public certificate to your machine. We’ll place the certificate in C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt for this example.

Configure Windows applications as an input

In the Winlogbeat configuration file (C:\Program Files\Winlogbeat\winlogbeat.yml by default), add these code block to the root level.

Replace <<SHIPPING-TOKEN>> with the token of the account you want to ship to.

# ...
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

fields:
  logzio_codec: json

  # Your Logz.io account token. You can find your token at
  #  https://app.logz.io/#/dashboard/settings/manage-accounts
  token: <<SHIPPING-TOKEN>>
  type: wineventlog
fields_under_root: true

If you’re running Winlogbeat 7, paste this code block. Otherwise, you can leave it out.

# ... For Winlogbeat 7 only ...
processors:
  - rename:
      fields:
      - from: "agent"
        to: "beat_agent"
      ignore_missing: true
  - rename:
      fields:
      - from: "log.file.path"
        to: "source"
      ignore_missing: true
  - rename:
      fields:
      - from: "log"
        to: "log_information"
      ignore_missing: true
Add Logz.io as an output

If Logz.io is not an output in the Winlogbeat configuration file (C:\Program Files\Winlogbeat\winlogbeat.yml by default), add it now.

Replace <<LISTENER-HOST>> with your region’s listener host (for example, listener.logz.io). For more information on finding your account’s region, see Account region.

# ...
output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"]
  ssl:
    certificate_authorities: ['C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt']
Remove remaining default blocks

If the output.elasticsearch and setup.template.settings blocks are still in the configuration file, remove them.

# Remove this block if it's still in the config file
setup.template.settings:
  index.number_of_shards: 3
# Remove this block if it's still in the config file
output.elasticsearch:
  hosts: ["localhost:9200"]
Restart Winlogbeat
PS C:\Program Files\Winlogbeat> Restart-Service winlogbeat
Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Kibana.

If you still don’t see your logs, see log shipping troubleshooting.