windows 日志收集

1、filebeat windows版

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - C:\logs\*.log
  multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: "after"
  tags: ["winlog"]

output.elasticsearch:
  hosts: ["192.168.60.164:9200"]
  indices:
    - index: "winlog-%{+yyyy.MM}"
      when.contains:
        tags: "winlog"

2、windows 开机自启，C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

@echo off

cd "C:\filebeat-7.5.1-windows-x86_64\filebeat-7.5.1-windows-x86_64\"
net start filebeat

@pause

　　

2023-03-15，最近发现采集windows日志，来源不太好确认，所以就修改了配置

filebeat

filebeat.inputs:
- type: log
  enabled: true
  encoding: GB2312
  paths:
    - D:\auto_find\logs\*.log
  multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: "after"
  tags: ["auto"]
 
output.logstash:
  hosts: ["192.168.61.228:10515"]
  indices:
    - index: "auto-%{+yyyy.MM.dd}"
      when.contains:
        tags: "auto"

processors:
- add_host_metadata:
    netinfo.enabled: true

setup.template.settings:
  index.number_of_shards: 1
setup.template.name: "auto"
setup.template.pattern: "auto-*"
setup.template.overwrite: true
setup.template.enabled: true
setup.ilm.enabled: false

 

pipeline

- pipeline.id: windows_auto
  path.config: "/opt/soft/logstash-7.5.1/config/windows_auto.conf"

 

logstash

input {
  beats {
    port => 10515
  }
}

filter{
  if "auto" in [tags]{
    grok {
        match => ["message","%{TIMESTAMP_ISO8601:timestamp8601}"]
    }
    date {
        match => ["timestamp8601", "yyyy-MM-dd HH:mm:ss"]
        target => "@timestamp"
    }
  }

}

output {
  if "auto" in [tags]{
     elasticsearch {
       hosts => ["http://192.168.61.228:9200"]
       index => "auto-%{+YYYY.MM.dd}"
     }
  }


}

 

 

参考一下

https://doc.yonyoucloud.com/doc/logstash-best-practice-cn/filter/grok.html

https://blog.csdn.net/knight_zhou/article/details/104954098