Set up Winlogbeat & Filebeat for log collection

Winlogbeat

We will begin by installing Winlogbeat on our Windows machine.

Next, we need to extract the contents into C:\Program Files

Next, let's run the following commands to install the service.

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1

Next, we need to modify the winlogbeat.yml configuration file to enable the Windows event logs we want to collect:

Event IDs:

  • 4688: A new process has been created.

  • 4624: An account was successfully logged on.

  • 4625: An account failed to log on.

  • 4720: A user account was created.

  • 1102: The audit log was cleared

Next, let's update the Elasticsearch output section:

  • ssl.verification_mode: none→ This will bypass the certificate check.

  • protocol: "https" → This tells Winlogbeat to use the HTTPS protocol when connecting.

This configures Winlogbeat to securely (or at least over HTTPS, though without SSL verification) send logs to a specific Elasticsearch server using a username and password.

Now, we need to test the configuration file to identify any potential issues.

.\winlogbeat.exe test config -c .\winlogbeat.yml -e

We can also test the connection to our output by running:

.\winlogbeat.exe test output -c .\winlogbeat.yml -e

Next, we need to start the winlogbeat service:

Start-Service winlogbeat
Get-Service winlogbeat

Next, we need to run Winlogbeat using the winlogbeat.yml configuration file and shows real-time logs in the console.

.\winlogbeat.exe -c .\winlogbeat.yml -e
  • .\winlogbeat.exe → Runs the Winlogbeat program to collect windows logs.

  • -c .\winlogbeat.yml → Uses the winlogbeat.yml file for configuration (tells Winlogbeat where to send logs, like Logstash).

  • -e → Shows log messages on the screen instead of saving them to a file

Now, let's verify that the logs are properly displayed in Kibana.

Filebeat

Let's start by adding Elastic’s GPG key to verify the packages:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg 
--dearmor -o /usr/share/keyrings/elastic-keyring.gpg

Next, we need to add the Elastic repository to our system:

echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] 
https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee 
/etc/apt/sources.list.d/elastic-8.x.list

Next, let's update the package list and install Filebeat.

sudo apt update && sudo apt install filebeat

The next step is to open the Filebeat configuration file.

sudo nano /etc/filebeat/filebeat.yml

Filebeat is configured to read logs from system logs (/var/log/*.log).

Now we need to edit the file also to send logs directly to Elasticsearch.

Next, we need to start the Filebeat service and configure it to launch automatically at system startup.

sudo systemctl start filebeat
sudo systemctl enable filebeat
sudo systemctl status filebeat

Let's check the Filebeat configuration for any errors.

sudo filebeat test config

Let's also test the connection to Elasticsearch by running:

sudo filebeat test output

Let's verify whether the logs are being displayed in ELK.

Last updated