[Winlogbeat] Add setting to load event_logs configuration from files

[jsoriano]

Add setting to load winlogbeat event_logs configuration from files, in a similar fashion to filebeat.config.modules.path or metricbeat.config.modules.path. So when using configuration management tools specific event logs configuration can be deployed to specific servers while sharing the same general settings.

The configuration could then be something like this:

winlogbeat.config.event_logs:
  path: ${path.config}/event_logs.d/*.yml
  reload.enabled: false
  #reload.period: 10s

[DirkAmelinckx]

+1

[andrewkroh]

One thing that I would add is that there needs to be change to allow Winlogbeat to map each event_log reader to a registry entry. Currently there is an implied limitation that each event log reader name be unique (e.g. you should never start two readers on the same event log) because the registry uses the event log name as the key.

This limitation means that you could not have granular configs like one reader that handles logon events from Security and one that handles group membership changes from Security.

By requiring (or assigning) each event_log reader to have a unique ID in the config this will allow for more granular and more powerful configs (like an event_log reader that reads from multiple event logs or allows for a XML query).

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic]

This issue doesn't have a Team:<team> label.

[jsoriano]

This will be superseded by #15324, winlogbeat will be an input in filebeat.