windows 日志收集
1、filebeat windows版
filebeat.inputs: - type: log enabled: true paths: - C:\logs\*.log multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}' multiline.negate: true multiline.match: "after" tags: ["winlog"] output.elasticsearch: hosts: ["192.168.60.164:9200"] indices: - index: "winlog-%{+yyyy.MM}" when.contains: tags: "winlog"
2、windows 开机自启,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
@echo off cd "C:\filebeat-7.5.1-windows-x86_64\filebeat-7.5.1-windows-x86_64\" net start filebeat @pause
2023-03-15,最近发现采集windows日志,来源不太好确认,所以就修改了配置
filebeat
filebeat.inputs: - type: log enabled: true encoding: GB2312 paths: - D:\auto_find\logs\*.log multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}' multiline.negate: true multiline.match: "after" tags: ["auto"] output.logstash: hosts: ["192.168.61.228:10515"] indices: - index: "auto-%{+yyyy.MM.dd}" when.contains: tags: "auto" processors: - add_host_metadata: netinfo.enabled: true setup.template.settings: index.number_of_shards: 1 setup.template.name: "auto" setup.template.pattern: "auto-*" setup.template.overwrite: true setup.template.enabled: true setup.ilm.enabled: false
pipeline
- pipeline.id: windows_auto path.config: "/opt/soft/logstash-7.5.1/config/windows_auto.conf"
logstash
input { beats { port => 10515 } } filter{ if "auto" in [tags]{ grok { match => ["message","%{TIMESTAMP_ISO8601:timestamp8601}"] } date { match => ["timestamp8601", "yyyy-MM-dd HH:mm:ss"] target => "@timestamp" } } } output { if "auto" in [tags]{ elasticsearch { hosts => ["http://192.168.61.228:9200"] index => "auto-%{+YYYY.MM.dd}" } } }
参考一下
https://doc.yonyoucloud.com/doc/logstash-best-practice-cn/filter/grok.html
https://blog.csdn.net/knight_zhou/article/details/104954098