Winlogbeat Configuration


This is a example configuration for Winlogbeat. You can use it as a starting point to further define which data you want to gather.

Please be aware of the fact that more data needs more storage space and that you might need to order additional space or bigger instances.

  - name: Application
    ignore_older: 72h
  - name: System
  - name: Security
  - name: setup
    tags: [forwarded]
  - name: Windows PowerShell
  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
  - name: PowerShell Profile Management
  - name: Microsoft-Windows-DSC/Admin
  - name: Microsoft-Windows-DSC/Operational
  - name: Microsoft-Windows-WindowsUpdateClient/Operational
  - name: Microsoft-FSLogix-Apps/Admin
  - name: Microsoft-FSLogix-Apps/Operational
  - name: Microsoft-FSLogix-CloudCache/Admin
  - name: Microsoft-FSLogix-CloudCache/Operational
  - name: Microsoft-AppV-Client/Admin
  - name: Microsoft-AppV-Client/Operational
  - name: Microsoft-AppV-Client/Virtual Applications

  hosts: ["Insights URL"]
  protocol: "HTTP"
  username: "Authentication Name"
  password: "Authentication PW"
  index: "winlogbeat"
  xpack.enabled: false
  bulk_max_size: 800
  worker: 2
  compression_level: 9

setup.ilm.enabled: false
setup.ilm.check_exists: false
setup.dashboards.enabled: false
setup.template.enabled: false
setup.template.overwrite: false

  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~