配置 winlogbeat.yml 配置ignore_older，否则会导入系统里很久之前的数据

winlogbeat.event_logs:
    - name: Application
      ignore_older: 48h
      provider:
          - Application Error
          - Application Hang
          - Windows Error Reporting
          - EMET
    - name: Security
      level: critical, error, warning
      event_id: 4624, 4625, 4700-4800, -4735
      ignore_older: 48h
    - name: System
      level: critical, error, warning
      ignore_older: 48h
    - name: Microsoft-Windows-Windows Defender/Operational
      include_xml: true
      ignore_older: 48h

导入es模板 scripts\import_dashboards.exe -es http://192.168.33.60:9200

安装服务

powershell管理员运行 .\install-service-winlogbeat.ps1

执行报错scripts is disabled on this system 需要先执行 Set-ExecutionPolicy RemoteSigned解除限制

net start/stop winlogbeat

命令行运行 .\winlogbeat.exe -c .\winlogbeat.yml