Winlogbeat is a lightweight agent that forwards Windows event logs to Logstash or Elasticsearch. It comes with a default configuration that listens on port 5044 for incoming Beats connections. This guide will show you how to install and configure Winlogbeat to forward Windows event logs to Logstash.
You can use the provided PowerShell scripts to setup a client with Winlogbeat and Sysmon. The scripts will download the necessary files and install them on the client. Just run the following command in PowerShell:
PowerShell.exe -ExecutionPolicy UnRestricted -File .\Client-Install.ps1Make sure you have installed Sysmon on the Windows clients you want to monitor. You can download Sysmon from the official website where you can also find instructions on how to install it (basically just run
sysmon64.exe -accepteula -ifrom the directory where you extracted the files).
-
Download version 7.1.1 of Winlogbeat from the official website
-
Extract the contents of the zip file to
C:\Program Files\Winlogbeat -
Open PowerShell as an administrator and navigate to the Winlogbeat directory
-
Run the following command to install Winlogbeat as a service:
PowerShell.exe -ExecutionPolicy Unrestricted -File .\install-service-winlogbeat.ps1
You can find the default configuration file at C:\Program Files\Winlogbeat\winlogbeat.yml. Copy the winlogbeat.yml file from this repository to the Winlogbeat directory and replace the existing file. It is already configured to forward Windows event logs to Logstash on localhost:5044.
After you have installed Winlogbeat and configured it, you can start the service by running the following command:
Start-Service winlogbeat