# Enable Windows Audit Policy & Winlogbeat ## Prerequisites: * ***`Windows Machine`***: * ***`Windows Server`***: * ***`Ubuntu Machine`*** We have successfully set up Elasticsearch and Kibana on the Ubuntu machine. The next step is to install Winlogbeat and configure it to send logs to the ELK stack. However, before proceeding with the installation, we need to apply specific policies to the Sales OU that was previously created. * **`Process Creation Logging`:** ```sql Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Detailed Tracking ```

Let's call it **Audit Logging**.

* **`Logon and Authentication Auditing`:** ```sql Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Logon/Logoff ```

Next, we need to run the following command on the client machine to apply the policy: ```powershell gpupdate /force ```

Next, we need to configure Winlogbeat on the Windows Client.

Next, let's start the service: ```powershell Start-Service winlogbeat Get-service winlogbeat ```

Next, we will proceed with testing the configuration. ```powershell .\winlogbeat.exe test config -c .\winlogbeat.yml ```

Before sending logs, let's check the connection to the configured output (Elasticsearch) is established. ```bash .\winlogbeat.exe test output ```

This command verifies if Winlogbeat can successfully send logs to the configured destination. Next, we need to start **`Winlogbeat`** using the `winlogbeat.yml` configuration file to capture and display real-time logs in the console. ```powershell .\winlogbeat.exe -c .\winlogbeat.yml -e ```

* `.\winlogbeat.exe` → Runs the Winlogbeat program to collect windows logs. * `-c .\winlogbeat.yml` → Uses the **winlogbeat.yml** file for configuration (tells Winlogbeat where to send logs, like Elasticsearch). * `-e` → Shows log messages **on the screen** instead of saving them to a file. We now need to confirm whether ELK successfully receives logs from **`Winlogbeat`**. From Stack Management → Index Management

Let's apply filters based on specific Event IDs.

* ***`4688`***:A new process has been created.

* ***`4624`***: An account was successfully logged on.

* ***`4672`***: Special privileges assigned to new logon. Let's create a dashboard that visualizes data of the Client01 machine.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/build-elk-lab/enable-windows-audit-policy-and-winlogbeat.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.