Winlogbeat – Collecting and Forwarding Windows Event Logs.

This document provides a step-by-step guide for installing and configuring Winlogbeat on a Windows machine to collect Windows event logs and forward them to an ELK stack running on an Ubuntu machine.

Winlogbeat

Winlogbeat is a lightweight log shipper from the Beats family that collects and forwards Windows event logs to Elasticsearch or Logstash for analysis and visualization in Kibana.It runs as a Windows service and can be configured to send logs directly to Elasticsearch or through Logstash for further processing.

Prerequisites

• A Windows machine.

• An Ubuntu machine running Elasticsearch and Kibana.

• Network connectivity between Windows and the Ubuntu machine.

You can test the connectivity by pinging the Ubuntu machine from the Windows machine. This is an important step because the logs won't be sent if there is no connectivity.

Download and Install Winlogbeat

1. Browsing the official Elastic Downloads page, download the appropriate Winlogbeat.zip file for your Windows machine.

1. Extract the contents of the ZIP file to C:\Program Files\Winlogbeat

2. Open PowerShell as Administrator, Navigate to the installation directory

cd "C:\Program Files\Winlogbeat"

1. Install the service by this command

Powershell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1

Configure Winlogbeat for Log Forwarding

1. Open winlogbeat.yml in a text editor like Notepad or Visual Studio Code, Modify the output configuration, Locate the output.elasticsearch section and configure it to your Elasticsearch IP, username, and password.

ssl.verification_mode set to none to bypass the certificate check.

2. In the same file, locate the winlogbeat.event_logs section and configure it to collect logs from Windows log channels. We can also filter each channel by the event ID.

1. The next step is to test the configuration file and the connection to the output

.\winlogbeat.exe test config -c .\winlogbeat.yml -e 
.\winlogbeat.exe test output -c .\winlogbeat.yml -e

1. Start the service and check its status

Start-Service winlogbeat
Get-Service winlogbeat

1. Next we will run winlogbeat using the configuration file we adjusted

.\winlogbeat.exe -c .\winlogbeat.yml -e

Verify logs in kibana

1. Switch to the Ubuntu machine, which has Elasticsearch and Kibana on. Open Kibana

2. Navigate to Stack Management > Index Management and search for winlogbeat

1. To see the logs, Navigate to Discover , and choose to add data view

You can set the name as your own preference; the Index Pattern must match one of your sources