How to Install and Setup Winlogbeat in Elasticsearch

Have a Database Problem? Speak with an Expert for Free
Get Started >>

Introduction

Winlogbeat is an Elastic product that performs event log shipping in Elasticsearch and has a similar functionality as Elastic’s “Beats”. As its name implies, Winlogbeat ships Windows events to the ELK stack. This tutorial shows how to install and setup Winglobeat in Elasticsearch.

Prerequisites

  • Elasticsearch and Logstash must be installed and running before you can use Winlogbeat.

  • You need a 64-bit version of Windows, since Elasticsearch doesn’t support 32-bit architectures. See—Elastic Discussion for 32-bit for more details on Elasticsearch requirements.

Installing Winlogbeat

  • Download the appropriate Winlogbeat .zip file for your operating system at Elastic’s download page for Beats. Elastic also maintains an official github repository for Winlogbeat.

  • Extract the zip file into C:Program Files.

  • Run the PowerShell as admin by right-clicking and selecting “Run As Administrator”.

  • Execute the commands below in the shell:

1
2
PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'
PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
1
2
3
4
5
6
7
8
9
Security warning
You should only execute scripts that you trust. Scripts from the internet can be useful, but they can also harm your computer. If you trust this script, use the Unblock-File cmdlet to run it without the following warning message:

Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R

Status Name DisplayName
------ ---- -----------
Stopped winlogbeat winlogbeat
  • Before you run Winlogbeat, review the configuration file in the directory where the WinlogBeat was installed. The default directory is C:\Program Files\Winlogbeat\winlogbeat.yml.

  • You can also review a reference configuration file called winlogbeat.reference.yml that shows available options.

Setup Winlogbeat

  • Configure Winlogbeat by opening winlogbeat.yml and editing the section for Winlogbeat. The default values in this section are as follows:
1
2
3
4
5
winlogbeat.event_logs:
- name: Application
ignore_older: 24h
- name: Security
- name: System

Configuration

  • Here are some of the options you can specify in the winlogbeat.yml configuration file.

registry_file

  • The installation process for Winlogbeat stores winlogbeat.yml in the same folder where the Beat was initiated. However, you should set the value of registry_file toC:/ProgramData/winlogbeat/.winlogbeat.yml when you run Winlogbeat as a Windows service as follows:

winlogbeat.registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml

event_logs

  • This option is a list of dictionaries that tells Winlogbeat which event logs it should keep track of. Every entry defines a type of event log that should be monitored.

  • There is only one mandatory field for the dictionary which is name:

1
2
winlogbeat.event_logs:
- name: Application

event_logs.name

  • Each event_logs entry under the dictionary is required to have the name field.
1
2
winlogbeat.event_logs:
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

event_logs.ignore_older

The ignore_older option prevents events from displaying if they’re older than the specified amount of time. No filtering will occur if you omit it. Valid time units include “ns”, “us”, “ms”, “s”, “m”, “h”.

1
2
3
event_logs:
- name: Application
ignore_older: 32h

event_logs.event_id

  • The event_logs.event_id option is a list of comma-separated event IDs for single events.

  • You can include an ID with a single ID like 4234 or use a range like 4500 - 4900.

  • You can also exclude IDs by appending a hyphen (-) to the ID like this: -4234

1
2
3
winlogbeat.event_logs:
- name: Security
event_id: 4231, 4401-4405

Consult Elastic’s Website for more information on configuration options for the winlogbeat section of winlogbeat.yml.

  • You can control Winlogbeat’s general behavior within the winlogbeat.yml.

General Configuration:

  • Elastic Beats supports all of the configuration options below.

  • Here is a sample configuration:

1
2
name: "text-forwader"
tags: ["service-wow", "web-layer"]

name

  • This option specifies the name of the Beat. Winlogbeat uses the server hostname if this option has no value. Winlogbeat also includesname asbeat.name in each of its published transactions.
1
name: "text-forwader"

tags

  • Beat includes the tags values in each transaction field, which streamlines the grouping of servers. These options include the following:
1
tags: ["the-service", "configuration", "the-test"]

fields

  • The fieldsoption causes output from Winlogbeat to provide more information. Its values can include scalar values, arrays, dictionaries or any nested combination of these values. The following example shows how you can use the fields option:
1
fields: {project: "myproject", instance-id: "574734885120952459"}

Conclusion

This tutorial provided step-by-step instructions on how to install and setup Winglobeat in Elasticsearch, which allows you to ship Windows events to the ELK stack. Installing Winlogbeat consists of downloading a zip file, extracting it and executing a script. Configuring Winlogbeat requires you to modify the Winlogbeat section in winlogbeat.yml, which contains options for controlling Winlogbeat’s behavior.

Pilot the ObjectRocket Platform Free!

Try Fully-Managed CockroachDB, Elasticsearch, MongoDB, PostgreSQL (Beta) or Redis.

Get Started

Keep in the know!

Subscribe to our emails and we’ll let you know what’s going on at ObjectRocket. We hate spam and make it easy to unsubscribe.