Working with Winlogbeat Modules

edit

Working with Winlogbeat Modules

edit

Winlogbeat comes packaged with pre-built modules that contain the configurations needed to collect, parse, enrich, and visualize data from various Windows logging providers. Each Winlogbeat module consists of one or more filesets that contain ingest node pipelines, Elasticsearch templates, Winlogbeat input configurations, and Kibana dashboards.

You can use Winlogbeat modules with Logstash, but you need to do some extra setup. The simplest approach is to set up and use the ingest pipelines provided by Winlogbeat.

Use ingest pipelines for parsing

edit

When you use Winlogbeat modules with Logstash, you can use the ingest pipelines provided by Winlogbeat to parse the data. You need to load the pipelines into Elasticsearch and configure Logstash to use them.

To load the ingest pipelines:

On the system where Winlogbeat is installed, run the setup command with the --pipelines option specified to load ingest pipelines for specific modules. For example, the following command loads ingest pipelines for the security and sysmon modules:

winlogbeat setup --pipelines --modules security,sysmon

A connection to Elasticsearch is required for this setup step because Winlogbeat needs to load the ingest pipelines into Elasticsearch. If necessary, you can temporarily disable your configured output and enable the Elasticsearch output before running the command.

To configure Logstash to use the pipelines:

On the system where Logstash is installed, create a Logstash pipeline configuration that reads from a Logstash input, such as Beats or Kafka, and sends events to an Elasticsearch output. Set the pipeline option in the Elasticsearch output to %{[@metadata][pipeline]} to use the ingest pipelines that you loaded previously.

Here’s an example configuration that reads data from the Beats input and uses Winlogbeat ingest pipelines to parse data collected by modules:

input {
  beats {
    port => 5044
  }
}

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => "https://061ab24010a2482e9d64729fdb0fd93a.us-east-1.aws.found.io:9243"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}" 
      action => "create" 
      pipeline => "%{[@metadata][pipeline]}" 
      user => "elastic"
      password => "secret"
    }
  } else {
    elasticsearch {
      hosts => "https://061ab24010a2482e9d64729fdb0fd93a.us-east-1.aws.found.io:9243"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}" 
      action => "create"
      user => "elastic"
      password => "secret"
    }
  }
}

If data streams are disabled in your configuration, set the index option to %{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}. Data streams are enabled by default.

If you are disabling the use of Data Streams on your configuration, you can remove this setting, or set it to a different value as appropriate.

Configures Logstash to select the correct ingest pipeline based on metadata passed in the event.

See the Winlogbeat Modules documentation for more information about setting up and running modules.