我有一个Ubuntu虚拟机，我在那里运行ES和Kibana，还有一个Windows虚拟机，我想在那里运行Winlogbeat。我的想法是把Windows事件发送到ES，然后用Kibana可视化它。
Kibana可通过浏览器从两个虚拟机访问，并且这两个虚拟机位于同一子网中。
Elasticsearch.yml

# ======================== Elasticsearch Configuration =========================

# 

# NOTE: Elasticsearch comes with reasonable defaults for most settings.

# Before you set out to tweak and tune the configuration, make sure you

# understand what are you trying to accomplish and the consequences.

# 

# The primary way of configuring a node is via this file. This template lists

# the most important settings you may want to configure for a production cluster.

# 

# Please consult the documentation for further information on configuration options:

# https://www.elastic.co/guide/en/elasticsearch/reference/index.html

# 

# ---------------------------------- Cluster -----------------------------------

# 

# Use a descriptive name for your cluster:

# 

# cluster.name: my-application

# 

# ------------------------------------ Node ------------------------------------

# 

# Use a descriptive name for the node:

# 

node.name: node-1

# 

# Add custom attributes to the node:

# 

# node.attr.rack: r1

# 

# ----------------------------------- Paths ------------------------------------

# 

# Path to directory where to store the data (separate multiple locations by comma):

# 

path.data: /var/lib/elasticsearch

# 

# Path to log files:

# 

path.logs: /var/log/elasticsearch

# 

# ----------------------------------- Memory -----------------------------------

# 

# Lock the memory on startup:

# 

# bootstrap.memory_lock: true

# 

# Make sure that the heap size is set to about half the memory available

# on the system and that the owner of the process is allowed to use this

# limit.

# 

# Elasticsearch performs poorly when the system is swapping the memory.

# 

# ---------------------------------- Network -----------------------------------

# 

# By default Elasticsearch is only accessible on localhost. Set a different

# address here to expose this node on the network:

# 

network.host: 10.211.55.7

# By default Elasticsearch listens for HTTP traffic on the first free port it

# finds starting at 9200. Set a specific HTTP port here:

# 

# http.port: 9200

# 

# For more information, consult the network module documentation.

# 

# --------------------------------- Discovery ----------------------------------

# 

# Pass an initial list of hosts to perform discovery when this node is started:

# The default list of hosts is ["127.0.0.1", "[::1]"]

# 

# discovery.seed_hosts: ["host1", "host2"]

# 

# Bootstrap the cluster using an initial set of master-eligible nodes:

# 

cluster.initial_master_nodes: ["node-1"]

# 

# For more information, consult the discovery and cluster formation module documentation.

# 

# ---------------------------------- Various -----------------------------------

# 

# Require explicit names when deleting indices:

# 

# action.destructive_requires_name: true

# 

# ---------------------------------- Security ----------------------------------

# 

# ***WARNING***

# 

# Elasticsearch security features are not enabled by default.

# These features are free, but require configuration changes to enable them.

# This means that users don’t have to provide credentials and can get full access

# to the cluster. Network connections are also not encrypted.

# 

# To protect your data, we strongly encourage you to enable the Elasticsearch security features.

# Refer to the following documentation for instructions.

# 

# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html

# X-Pack Setting

xpack.security.enabled: True

# Transport layer

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]

# HTTP layer

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]

Kibana.yml

# Kibana is served by a back end server. This setting specifies the port to use.

server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both vali>

# The default is 'localhost', which usually means remote machines will not be able to connect.

# To allow connections from remote users, set this parameter to a non-loopback address.

server.host: "10.211.55.7"

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.

# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath

# from requests it receives, and to prevent a deprecation warning at startup.

# This setting cannot end in a slash.

# server.basePath: ""

# Specifies whether Kibana should rewrite requests that are prefixed with

# `server.basePath` or require that they are rewritten by your reverse proxy.

# This setting was effectively always `false` before Kibana 6.3 and will

# default to `true` starting in Kibana 7.0.

# server.rewriteBasePath: false

# Specifies the public URL at which Kibana is available for end users. If

# `server.basePath` is configured this URL should end with the same basePath.

server.publicBaseUrl: "https://10.211.55.7:5601"

# The maximum payload size in bytes for incoming server requests.

# server.maxPayload: 1048576

# The Kibana server's name.  This is used for display purposes.

# server.name: "your-hostname"

# The URLs of the Elasticsearch instances to use for all your queries.

elasticsearch.hosts: ["https://10.211.55.7:9200"]
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/ca/ca.crt"]
elasticsearch.ssl.certificate: /etc/kibana/certs/kibana.crt
elasticsearch.ssl.key: /etc/kibana/certs/kibana.key

# Kibana uses an index in Elasticsearch to store saved searches, visualizations and

# dashboards. Kibana creates a new index if the index doesn't already exist.

# kibana.index: ".kibana"

# The default application to load.

# kibana.defaultAppId: "home"

# If your Elasticsearch is protected with basic authentication, these settings provide

# the username and password that the Kibana server uses to perform maintenance on the Kibana

# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which

# is proxied through the Kibana server.

# elasticsearch.username: "kibana_system"

# elasticsearch.password: "pass"

# Kibana can also authenticate to Elasticsearch via "service account tokens".

# If may use this token instead of a username/password.

# elasticsearch.serviceAccountToken: "my_token"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.

# These settings enable SSL for outgoing requests from the Kibana server to the browser.

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.crt
server.ssl.key: /etc/kibana/certs/kibana.key

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.

# These files are used to verify the identity of Kibana to Elasticsearch and are required when

# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.

# elasticsearch.ssl.certificate: /path/to/your/client.crt

# elasticsearch.ssl.key: /path/to/your/client.key

# Optional setting that enables you to specify a path to the PEM file for the certificate

# authority for your Elasticsearch instance.

# elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.

# elasticsearch.ssl.verificationMode: full

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of

# the elasticsearch.requestTimeout setting.

# elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value

# must be a positive integer.

# elasticsearch.requestTimeout: 30000

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side

# headers, set this value to [] (an empty list).

# elasticsearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten

# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.

# elasticsearch.customHeaders: {}

# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.

# elasticsearch.shardTimeout: 30000

# Logs queries sent to Elasticsearch. Requires logging.verbose set to true.

# elasticsearch.logQueries: false

# Specifies the path where Kibana creates the process ID file.

# pid.file: /run/kibana/kibana.pid

# Enables you to specify a file where Kibana stores log output.

# logging.dest: stdout

# Set the value of this setting to true to suppress all logging output.

# logging.silent: false

# Set the value of this setting to true to suppress all logging output other than error messages.

# logging.quiet: false

# Set the value of this setting to true to log all events, including system usage information

# and all requests.

# logging.verbose: false

# Set the interval in milliseconds to sample system and process performance

# metrics. Minimum is 100ms. Defaults to 5000.

# ops.interval: 5000

# Specifies locale to be used for all localizable strings, dates and number formats.

# Supported languages are the following: English - en , by default , Chinese - zh-CN .

# i18n.locale: "en"

# X-Pack Setting

xpack.security.enabled: True
elasticsearch.username: "elastic"
elasticsearch.password: "cs6cen5MXEzRDQpfvK5R"

Winlogbeat.yml

###################### Winlogbeat Configuration Example ########################

# This file is an example configuration file highlighting only the most common

# options. The winlogbeat.reference.yml file from the same directory contains

# all the supported options with more comments. You can use it as a reference.

# 

# You can find the full configuration reference here:

# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

# ======================== Winlogbeat specific options =========================

# event_logs specifies a list of event logs to monitor as well as any

# accompanying options. The YAML data type of event_logs is a list of

# dictionaries.

# 

# The supported keys are name, id, xml_query, tags, fields, fields_under_root,

# forwarded, ignore_older, level, event_id, provider, and include_xml.

# The xml_query key requires an id and must not be used with the name,

# ignore_older, level, event_id, or provider keys. Please visit the

# documentation for the complete details of each option.

# https://go.es.io/WinlogbeatConfig

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: ForwardedEvents
    tags: [forwarded]

# ====================== Elasticsearch template settings =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group

# all the transactions sent by a single shipper in the web interface.

# name:

# The tags of the shipper are included in their own field with each

# transaction published.

# tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the

# output.

# fields:

# env: staging

# ================================= Dashboards =================================

# These settings control loading the sample dashboards to the Kibana index. Loading

# the dashboards is disabled by default and can be enabled either by setting the

# options here or by using the `setup` command.

setup.dashboards.enabled: true

# The URL from where to download the dashboards archive. By default this URL

# has a value which is computed based on the Beat name and version. For released

# versions, this URL points to the dashboard archive on the artifacts.elastic.co

# website.

# setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.

# This requires a Kibana endpoint configuration.

setup.kibana:
    host: "https://10.211.55.7:5601"
    ssl.enabled: true
    kibana.protocol: https
    ssl.certificate_authorities: [C:\Program Files\Winlogbeat\certs\ca\ca.crt]
    ssl.certificate: C:\Program Files\Winlogbeat\certs\Winlogbeat.crt
    ssl.key: C:\Program Files\Winlogbeat\certs\Winlogbeat.key

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== Elastic Cloud ================================

# These settings simplify using Winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and

# `setup.kibana.host` options.

# You can find the `cloud.id` in the Elastic Cloud web UI.

# cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and

# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.

# cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------

output.elasticsearch.hosts: ['https://10.211.55.7:9200']
output.elasticsearch.protocol: https
output.elasticsearch.ssl.certificate: C:\Program Files\Winlogbeat\certs\Winlogbeat.crt
output.elasticsearch.ssl.key: C:\Program Files\Winlogbeat\certs\Winlogbeat.key
output.elasticsearch.ssl.certificate_authorities: [C:\Program Files\Winlogbeat\certs\ca\ca.crt]
username: elastic
password: cs6cen5MXEzRDQpfvK5R

# ssl:

# enabled: false

# ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c"

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"

# Pipeline to route events to security, sysmon or powershell pipelines

pipeline: "winlogbeat-%{[agent.version]}-routing"

# ------------------------------ Logstash Output -------------------------------

# output.logstash:

  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================

processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

# ================================== Logging ===================================

# Sets log level. The default log level is info.

# Available log levels are: error, warning, info, debug

# logging.level: debug

# At debug level, you can selectively enable logging only for some components.

# To enable all selectors use ["*"]. Examples of other selectors are "beat",

# "publisher", "service".

# logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================

# Winlogbeat can export internal metrics to a central Elasticsearch monitoring

# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The

# reporting is disabled by default.

# Set to true to enable the monitoring reporter.

# monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this

# Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch

# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.

# monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the

# Elasticsearch output are accepted here as well.

# Note that the settings should point to your Elasticsearch *monitoring* cluster.

# Any setting that is not set is automatically inherited from the Elasticsearch

# output configuration, so if you have the Elasticsearch output configured such

# that it is pointing to your Elasticsearch monitoring cluster, you can simply

# uncomment the following line.

# monitoring.elasticsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the winlogbeat.

# instrumentation:

    # Set to true to enable instrumentation of winlogbeat.
    #enabled: false

    # Environment in which winlogbeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:

# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases

# migration.6_to_7.enabled: true

当我尝试将Winlogbeat作为服务启动时，收到以下错误：

PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Start-Service : Failed to start service 'winlogbeat (winlogbeat)'.
At line:1 char:1
+ Start-Service winlogbeat
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandException
    + FullyQualifiedErrorId : StartServiceFailed,Microsoft.PowerShell.Commands.StartServiceCommand

“.\winlogbeat.exe-c winlogbeat.yml -e -v -d“*”的输出为：

{"log.level":"error","@timestamp":"2022-10-14T16:19:35.034+0200","log.origin":{"file.name":"instance/beat.go","file.line":1056},"message":"Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://10.211.55.7:5601/api/status fails: Unauthorized: %!w(<nil>). Response: {\"statusCode\":401,\"error\":\"Unauthorized\",\"message\":\"Unauthorized\"}","service.name":"winlogbeat","ecs.version":"1.6.0"}
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://10.211.55.7:5601/api/status fails: Unauthorized: %!w(<nil>). Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

非常感谢