Winlogbeat quick start: installation and configuration

edit

Winlogbeat quick start: installation and configuration

edit

This guide describes how to get started quickly with Windows log monitoring. You’ll learn how to:

  • install Winlogbeat on each system you want to monitor
  • specify the location of your log files
  • parse log data into fields and send it to Elasticsearch
  • visualize the log data in Kibana
Winlogbeat dashboard

Before you begin

edit

You need Elasticsearch for storing and searching your data, and Kibana for visualizing and managing it.

To get started quickly, spin up a deployment of our hosted Elasticsearch Service. The Elasticsearch Service is available on AWS, GCP, and Azure. Try it out for free.

Step 1: Install Winlogbeat

edit
  1. Download the Winlogbeat zip file from the downloads page.
  2. Extract the contents into C:\Program Files.
  3. Rename the winlogbeat-<version> directory to Winlogbeat.
  4. Open a PowerShell prompt as an Administrator (right-click on the PowerShell icon and select Run As Administrator).
  5. From the PowerShell prompt, run the following commands to install the service.
PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'
PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1

Security warning
Run only scripts that you trust. While scripts from the internet can be useful,
this script can potentially harm your computer. If you trust this script, use
the Unblock-File cmdlet to allow the script to run without this warning message.
Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R

Status   Name               DisplayName
------   ----               -----------
Stopped  winlogbeat         winlogbeat

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.

To use a local non-Administrator account to run Winlogbeat, follow these additional steps.

Step 2: Connect to the Elastic Stack

edit

Connections to Elasticsearch and Kibana are required to set up Winlogbeat.

Set the connection information in winlogbeat.yml. To locate this configuration file, see Directory layout.

Specify the cloud.id of your Elasticsearch Service, and set cloud.auth to a user who is authorized to set up Winlogbeat. For example:

cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
cloud.auth: "winlogbeat_setup:YOUR_PASSWORD" 

This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.

To learn more about required roles and privileges, see Grant users access to secured resources.

Step 3: Configure Winlogbeat

edit

In winlogbeat.yml, configure the event logs that you want to monitor.

  1. Under winlogbeat.event_log, specify a list of event logs to monitor. By default, Winlogbeat monitors application, security, and system logs.

    winlogbeat.event_logs:
      - name: Application
      - name: Security
      - name: System

    To obtain a list of available event logs, run Get-EventLog * in PowerShell. For more information about this command, see the configuration details for event_logs.name.

  2. (Optional) Set logging options to write Winlogbeat logs to a file:

    logging.to_files: true
    logging.files:
      path: C:\ProgramData\winlogbeat\Logs
    logging.level: info
  3. After you save your configuration file, test it with the following command.

    PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e

For more information about configuring Winlogbeat, also see:

Step 4: Set up assets

edit

Winlogbeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:

  1. Make sure the user specified in winlogbeat.yml is authorized to set up Winlogbeat.
  2. From the installation directory, run:

    PS > .\winlogbeat.exe setup -e

This step loads the recommended index template for writing to Elasticsearch , loads the ingest pipelines to parse the events (x-pack only), and deploys the sample dashboards for visualizing the data in Kibana.

A connection to Elasticsearch (or Elasticsearch Service) is required to set up the initial environment. If you’re using a different output, such as Logstash, see:

Step 5: Start Winlogbeat

edit

Before starting Winlogbeat, modify the user credentials in winlogbeat.yml and specify a user who is authorized to publish events.

To start the Winlogbeat service, run:

PS C:\Program Files\Winlogbeat> Start-Service winlogbeat

Winlogbeat should now be running. If you used the logging configuration described here, you can view the log file at C:\ProgramData\winlogbeat\Logs\winlogbeat.

You can view the status of the service and control it from the Services management console in Windows. To launch the management console, run this command:

PS C:\Program Files\Winlogbeat> services.msc

Stop Winlogbeat

edit

Stop the Winlogbeat service with the following command:

PS C:\Program Files\Winlogbeat> Stop-Service winlogbeat

Step 6: View your data in Kibana

edit

Winlogbeat comes with pre-built Kibana dashboards and UIs for visualizing log data. You loaded the dashboards earlier when you ran the setup command.

To open the dashboards:

  1. Launch Kibana:

    1. Log in to your Elastic Cloud account.
    2. Navigate to the Kibana endpoint in your deployment.
  2. In the side navigation, click Discover. To see Winlogbeat data, make sure the predefined winlogbeat-* index pattern is selected.

    If you don’t see data in Kibana, try changing the time filter to a larger range. By default, Kibana shows the last 15 minutes.

  3. In the side navigation, click Dashboard, then select the dashboard that you want to open.

The dashboards are provided as examples. We recommend that you customize them to meet your needs.

Using a local non-Administrator account to run Winlogbeat

edit

By default, the Winlogbeat service runs as the Local System account. If you want to run the Winlogbeat service as a local user account that is not an Administrator, then follow the steps below. The local user account must be granted Log on as a service in the security policy and be made part of the Builtin\Event Log Readers group to read the event log.

  1. Open the Services Management console with this command:

    PS C:\Program Files\Winlogbeat> services.msc
  2. Right-click on service named winlogbeat and select Properties
  3. Under Log On tab, select This account: and browse for the local account user that you want to run Winlogbeat service as.
  4. Enter local user account’s password and click Apply.
  5. Search and open Local Group Policy Editor in Windows search or run gpedit.msc from Powershell.
  6. Navigate to path: Computer Settings → Security Settings → Local Policies and open User Rights Assignment under it.
  7. Inside User Rights Assignment, add your local user account to the policy named Log on as a service. This should allow your local user account log on as a service.
  8. Open Local Users and Group Manager by running lusrmgr.msc in Powershell.
  9. Under Users, right-click on your local account user and open Properties.
  10. Select Member of tab and click on Add...
  11. Find and select the group named Event Log Readers and click Apply. This should allow your local account user to read the event log.

What’s next?

edit

Now that you have your logs streaming into Elasticsearch, learn how to unify your logs, metrics, uptime, and application performance data.

  1. Ingest data from other sources by installing and configuring other Elastic Beats:

    Elastic Beats To capture

    Metricbeat

    Infrastructure metrics

    Filebeat

    Logs

    Heartbeat

    Uptime information

    APM

    Application performance metrics

    Auditbeat

    Audit events

  2. Use the Observability apps in Kibana to search across all your data:

    Elastic apps Use to

    Metrics app

    Explore metrics about systems and services across your ecosystem

    Logs app

    Tail related log data in real time

    Uptime app

    Monitor availability issues across your apps and services

    APM app

    Monitor application performance

    SIEM app

    Analyze security events