diff --git a/VMware-Logging/troubleshooting filebeat.yaml b/VMware-Logging/troubleshooting filebeat.yaml
new file mode 100644
index 0000000..7c3ece4
--- /dev/null
+++ b/VMware-Logging/troubleshooting filebeat.yaml	
@@ -0,0 +1,79 @@
+# ============================== Filebeat inputs ===============================
+
+filebeat.inputs:
+
+# filestream is an input for collecting log messages from files.
+- type: syslog
+  format: auto
+  protocol.tcp:
+    host: "10.2.102.2:514"
+
+  # Change to true to enable this input configuration.
+  enabled: true
+
+# ============================== Filebeat modules ==============================
+
+filebeat.config.modules:
+  # Glob pattern for configuration loading
+  path: ${path.config}/modules.d/*.yml
+
+  # Set to true to enable config reloading
+  reload.enabled: false
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+#File
+output.file:
+  path: e:\vmwarelogs
+  filename: vmware
+  rotate_every_kb: 1048576
+
+#Kafka
+#output.kafka:
+#  hosts: ['itdclmagg1.nd.gov:12200', 'itdclmagg2.nd.gov:12200', 'itdclmagg3.nd.gov:12200', 'itdclmagg4.nd.gov:12200', 'itdclmagg5.nd.gov:12200', 'itdclmagg6.nd.gov:12200']
+#  username: "vmware"
+#  password: "sheez3aeseingae0Quohpu3ooGh7le0a"
+#  topic: "prod-vmware"
+#  sasl.mechanism: "SCRAM-SHA-256"
+#  version: "2.0.0"
+#  partition.round_robin:
+#    group_events: 16384
+#    reachable_only: true
+#  compression: gzip
+#  compression_level: 2
+#  max_message_bytes: 1000000
+#  worker: 2
+#  bulk_max_size: 2048
+#  channel_buffer_size: 512
+#  required_acks: 1
+#  timeout: 20
+#  keep_alive: 60s
+#  ssl:
+#    enabled: true
+
+
+
+# ================================= Processors =================================
+processors:
+  - add_fields:
+      target: ''
+      fields:
+        misc_retention: "7Y"
+        misc_index_name: "lto-vmware"
+        misc_topic: "prod-vmware"
+  - drop_event:
+      when:
+        not:
+          equals:
+            hostname: itdvmmdnora02.nd.gov
+
+
+# ================================= Monitoring =================================
+monitoring:
+  enabled: true
+  cluster_uuid: mN1nVwZ6RH-J1DsKZx4aWQ
+  elasticsearch:
+    hosts: ["https://itdelasticmon1.nd.gov:9200","https://itdelasticmon2.nd.gov:9200"]
+    username: vmware_monitoring_user
+    password: <eiBeengah2reigheegohS3ohphagha9c>
\ No newline at end of file