Configuration

Before you begin, you’ll need: Winlogbeat 7.0.0 or Winlogbeat 6

Download the Logz.io public certificate

Download the Logz.io public certificate to C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt on your machine.

Configure Windows applications as an input

If you’re working with the default configuration file, (C:\Program Files\Winlogbeat\winlogbeat.yml) clear the contents and start with a fresh file.

Paste this code block.

Replace <<SHIPPING-TOKEN>> with the token of the account you want to ship to.

# ...
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

fields:
  logzio_codec: json

  # Your Logz.io account token. You can find your token at
  #  https://app.logz.io/#/dashboard/settings/manage-accounts
  token: <<SHIPPING-TOKEN>>
  type: wineventlog
fields_under_root: true

If you’re running Winlogbeat 7, paste this code block. Otherwise, you can leave it out.

# ... For Winlogbeat 7 only ...
processors:
  - rename:
      fields:
      - from: "agent"
        to: "beat_agent"
      ignore_missing: true
  - rename:
      fields:
      - from: "log.file.path"
        to: "source"
      ignore_missing: true
  - rename:
      fields:
      - from: "log"
        to: "log_information"
      ignore_missing: true
Set Logz.io as the output

If Logz.io isn’t the output, set it now.

Winlogbeat can have one output only, so remove any other output entries.

Replace <<LISTENER-HOST>> with your region’s listener host (for example, listener.logz.io). For more information on finding your account’s region, see Account region.

# ...
output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"]
  ssl:
    certificate_authorities: ['C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt']
Restart Winlogbeat
Restart-Service winlogbeat
Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Kibana.

If you still don’t see your logs, see log shipping troubleshooting.