IIS

Windows

• Download the Filebeat Windows zip file from the official downloads page.

• Extract the contents of the zip file into C:\Program Files.

• Rename the filebeat-<version>-windows directory to Filebeat.

• Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.

• Run the following commands to install Filebeat as a Windows service:

  PS > cd 'C:\Program Files\Filebeat'
  PS C:\Program Files\Filebeat> .\install-service-filebeat.ps1`
  

    If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1.

Open C:\Program Files\Filebeat\filebeat.yml

Setup the data you wish to send us, by editing the prospector path variables.
These fully support wildcards. You can also add a document type.
An example with nginx logs might look like

filebeat.prospectors:

- type: log
  enabled: true
  paths:
    - C:\inetpub\logs\LogFiles\*\*
  fields:
    type: iis
  fields_under_root: true
  encoding: utf-8
  exclude_lines: ["^#"]
  exclude_files: [".zip"]
  ignore_older: 24h
  

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

output.logstash:
    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true

Let's check the configuration file is syntactically correct.

Run from the extracted archive dir

filebeat -e -c filebeat.yml

Ok, time to start ingesting data!

PS C:\Program Files\Filebeat> Start-Service filebeat