Winlogbeat with local Elasticsearch and Kibana

Photo by Caspar Camille Rubin on Unsplash

Glad to see you back for our adventure on the elastic stack 😊. Today we are going to talk about Winlogbeat and how to install it on our Windows system.

Winlogbeat is a lightweight shipper for Windows event logs that is part of the large elastic Beat family. It’s a tool specifically designed for providing live streams of Windows event logs based on the libbeat framework. Winlogbeat automatically uploads the raw data it collects to Elasticsearch or any other configured output, where it is subsequently indexed for future use. It serves as a security-enhancement application and allows users to monitor practically anything occurring on their Windows-powered hosts such as:

  • application events
  • hardware events
  • security events
  • system events

Installation and Configuration

Before we begin, you will need to have a deployment of Kibana and Elasticsearch. Read this article about it if you haven’t already.

As always, go to the official Elastic website to download Winlogbeat. Once the archive is downloaded, extract it and open the winlogbeat.yml file for some configurations. First, navigate to the output section where we will configure Elasticsearch as follows:

output.elasticsearch:   
  hosts: ["https://localhost:9200"]   
  username: "elastic"   
  password: "TYPE_HERE"  
  # If using Elasticsearch's default certificate
  ssl:
      enabled: true
      ca_trusted_fingerprint:  "your_fingerprint"

Note here that the tutorial is made on a secure deployment of Elasticsearch so the ca_trusted_fingerprint should be mentioned here. The fingerprint is a HEX encoded SHA-256 of a CA certificate generated when you start Elasticsearch for the first time. If you lost it, don’t panic you can always retrieve it with the following command:

openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt

This command cannot be run on the Windows terminal, you will need to download and install Git, open Git CMD and run the command from the Elasticsearch root folder.

Once done, go to the winlogbeat.event_logs section to specify a list of event logs to monitor. By default, Winlogbeat monitors application, security, and system logs. A list of all available event logs is available to you, just run the following command in Powershell : Get-EventLog *

Winlogbeat comes with a set of utilities to check if configuration or connectivity is in place. Save the configuration file and from the root folder, run the following commands, one after the other:

./winlogbeat test config
./winlogbeat test output

Also, to setup assets for parsing, indexing, and visualizing your data, you can run the following command:

./winlogbeat setup

NB: -e is optional and sends output to standard error instead of the configured log output.

All that remains is to launch Winlogbeat with the command:

./winlogbeat -e

Click Discover in the side navigation of Kibana. Make sure the predetermined winlogbeat-* index pattern is chosen in order to view Winlogbeat data.

The setup command established a number of dashboards where the data could then be explored. In the Dashboard section, from one of the dashboards, you may verify that your installation is functional as seen below:

That’s it for today, feel free to check the official documentation on this subject for more details. Thanks for reading, if you have questions or comments regarding this article, please feel free to leave a comment below.

I’ll see you next time for more posts 🚀.

Abdoul-Bagui M.

Winlogbeat with local Elasticsearch and Kibana was originally published in Level Up Coding on Medium, where people are continuing the conversation by highlighting and responding to this story.


This content originally appeared on Level Up Coding - Medium and was authored by Mohamadou Abdoul Bagui

Photo by Caspar Camille Rubin on Unsplash

Glad to see you back for our adventure on the elastic stack 😊. Today we are going to talk about Winlogbeat and how to install it on our Windows system.

Winlogbeat is a lightweight shipper for Windows event logs that is part of the large elastic Beat family. It’s a tool specifically designed for providing live streams of Windows event logs based on the libbeat framework. Winlogbeat automatically uploads the raw data it collects to Elasticsearch or any other configured output, where it is subsequently indexed for future use. It serves as a security-enhancement application and allows users to monitor practically anything occurring on their Windows-powered hosts such as:

  • application events
  • hardware events
  • security events
  • system events

Installation and Configuration

Before we begin, you will need to have a deployment of Kibana and Elasticsearch. Read this article about it if you haven’t already.

As always, go to the official Elastic website to download Winlogbeat. Once the archive is downloaded, extract it and open the winlogbeat.yml file for some configurations. First, navigate to the output section where we will configure Elasticsearch as follows:

output.elasticsearch:   
  hosts: ["https://localhost:9200"]   
  username: "elastic"   
  password: "TYPE_HERE"  
  # If using Elasticsearch's default certificate
  ssl:
      enabled: true
      ca_trusted_fingerprint:  "your_fingerprint"

Note here that the tutorial is made on a secure deployment of Elasticsearch so the ca_trusted_fingerprint should be mentioned here. The fingerprint is a HEX encoded SHA-256 of a CA certificate generated when you start Elasticsearch for the first time. If you lost it, don’t panic you can always retrieve it with the following command:

openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt

This command cannot be run on the Windows terminal, you will need to download and install Git, open Git CMD and run the command from the Elasticsearch root folder.

Once done, go to the winlogbeat.event_logs section to specify a list of event logs to monitor. By default, Winlogbeat monitors application, security, and system logs. A list of all available event logs is available to you, just run the following command in Powershell : Get-EventLog *

Winlogbeat comes with a set of utilities to check if configuration or connectivity is in place. Save the configuration file and from the root folder, run the following commands, one after the other:

./winlogbeat test config
./winlogbeat test output

Also, to setup assets for parsing, indexing, and visualizing your data, you can run the following command:

./winlogbeat setup

NB: -e is optional and sends output to standard error instead of the configured log output.

All that remains is to launch Winlogbeat with the command:

./winlogbeat -e

Click Discover in the side navigation of Kibana. Make sure the predetermined winlogbeat-* index pattern is chosen in order to view Winlogbeat data.

The setup command established a number of dashboards where the data could then be explored. In the Dashboard section, from one of the dashboards, you may verify that your installation is functional as seen below:

That’s it for today, feel free to check the official documentation on this subject for more details. Thanks for reading, if you have questions or comments regarding this article, please feel free to leave a comment below.

I’ll see you next time for more posts 🚀.

Abdoul-Bagui M.

Winlogbeat with local Elasticsearch and Kibana was originally published in Level Up Coding on Medium, where people are continuing the conversation by highlighting and responding to this story.


This content originally appeared on Level Up Coding - Medium and was authored by Mohamadou Abdoul Bagui


Print Share Comment Cite Upload Translate Updates
APA

Mohamadou Abdoul Bagui | Sciencx (2022-10-24T01:31:27+00:00) Winlogbeat with local Elasticsearch and Kibana. Retrieved from https://www.scien.cx/2022/10/24/winlogbeat-with-local-elasticsearch-and-kibana/

MLA
" » Winlogbeat with local Elasticsearch and Kibana." Mohamadou Abdoul Bagui | Sciencx - Monday October 24, 2022, https://www.scien.cx/2022/10/24/winlogbeat-with-local-elasticsearch-and-kibana/
HARVARD
Mohamadou Abdoul Bagui | Sciencx Monday October 24, 2022 » Winlogbeat with local Elasticsearch and Kibana., viewed ,<https://www.scien.cx/2022/10/24/winlogbeat-with-local-elasticsearch-and-kibana/>
VANCOUVER
Mohamadou Abdoul Bagui | Sciencx - » Winlogbeat with local Elasticsearch and Kibana. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2022/10/24/winlogbeat-with-local-elasticsearch-and-kibana/
CHICAGO
" » Winlogbeat with local Elasticsearch and Kibana." Mohamadou Abdoul Bagui | Sciencx - Accessed . https://www.scien.cx/2022/10/24/winlogbeat-with-local-elasticsearch-and-kibana/
IEEE
" » Winlogbeat with local Elasticsearch and Kibana." Mohamadou Abdoul Bagui | Sciencx [Online]. Available: https://www.scien.cx/2022/10/24/winlogbeat-with-local-elasticsearch-and-kibana/. [Accessed: ]
rf:citation
» Winlogbeat with local Elasticsearch and Kibana | Mohamadou Abdoul Bagui | Sciencx | https://www.scien.cx/2022/10/24/winlogbeat-with-local-elasticsearch-and-kibana/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts