Sending Windows Event Forwarder Server (WEF) Logs to Elasticsearch (Winlogbeat)

Now that you are sending all of your logs to your Windows Event Forwarder, it’s time to forward them to Elasticsearch so we can visualize them in Kibana and make some meaningful decisions based on the data.

Prerequisites:

  • Winlogbeat – Download here (64-bit)
  • Windows hosts – Your system in which we will be collecting the logs from.

Step 1: Download and extract winlogbeat.zip to c:\program files\  (Should look like the image below)

Step 2: Open the winlogbeat.yml and edit with notepad:

We will add the following under winlogbeat.event_logs:

(Note: This will not include logs older than 3 days).

Next, scroll down until you get to output.logstash: here you will add your logstash server information

Save the winlogbeat.yml and exit.

Step 3: Install Winlogbeat as a service

Launch Powershell (Run as Administrator) – and enter the following:

Verify that the service is running.

Done! Next tutorial will focus on Kibana so you may start visualizing the data.

Here’s the Kibana article

If you have any questions feel free to send me a message on Twitter where I’ll answer quicker.

2
Leave a Reply

avatar
2 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
0 Comment authors
Linksammlung: Monitoring von Windows Security Events mit ELK | Susanns WeblogLessons Learned: Winlogbeat & Forwarded Events – no event description – David Vassallo's Blog Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
trackback

[…] This means that probably the most efficient way of getting the AZLog events from the central collector to Elasticsearch would be to use WinLogBeat. Configuration is simple enough, simply using a WinLogBeat configuration file like so would do the job [1]: […]