Step 1: Install Winlogbeat

edit

Before you begin: If you haven’t installed the Elastic Stack, do that now. See Getting started with the Elastic Stack.

  1. Download the Winlogbeat zip file from the downloads page.
  2. Extract the contents into C:\Program Files.
  3. Rename the winlogbeat-<version> directory to Winlogbeat.
  4. Open a PowerShell prompt as an Administrator (right-click on the PowerShell icon and select Run As Administrator).
  5. From the PowerShell prompt, run the following commands to install the service.
PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'
PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1

Security warning
Run only scripts that you trust. While scripts from the internet can be useful,
this script can potentially harm your computer. If you trust this script, use
the Unblock-File cmdlet to allow the script to run without this warning message.
Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R

Status   Name               DisplayName
------   ----               -----------
Stopped  winlogbeat         winlogbeat

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.

Before starting Winlogbeat, you should look at the configuration options in the configuration file, for example C:\Program Files\Winlogbeat\winlogbeat.yml. There’s also a full example configuration file called winlogbeat.reference.yml that shows all non-deprecated options. For more information about these options, see Configuring Winlogbeat.