Enable Windows Audit Policy & Winlogbeat
PreviousSend Logs from Winlogbeat through Logstash to ELKNextElasticsearch API and Ingestion Pipeline
Last updated
Last updated
Windows Machine: https://info.microsoft.com/ww-landing-windows-10-enterprise.html
Windows Server: https://info.microsoft.com/ww-landing-windows-server-2022.html
Ubuntu Machine
We have successfully set up Elasticsearch and Kibana on the Ubuntu machine. The next step is to install Winlogbeat and configure it to send logs to the ELK stack. However, before proceeding with the installation, we need to apply specific policies to the Sales OU that was previously created.
Process Creation Logging:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration >
System Audit Policies - Local Group Policy Object > Detailed TrackingLet's call it Audit Logging.
Logon and Authentication Auditing:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration >
System Audit Policies - Local Group Policy Object > Logon/LogoffNext, we need to run the following command on the client machine to apply the policy:
gpupdate /forceNext, we need to configure Winlogbeat on the Windows Client.
Next, let's start the service:
Start-Service winlogbeat
Get-service winlogbeatNext, we will proceed with testing the configuration.
.\winlogbeat.exe test config -c .\winlogbeat.ymlBefore sending logs, let's check the connection to the configured output (Elasticsearch) is established.
.\winlogbeat.exe test outputThis command verifies if Winlogbeat can successfully send logs to the configured destination.
Next, we need to start Winlogbeat using the winlogbeat.yml configuration file to capture and display real-time logs in the console.
.\winlogbeat.exe -c .\winlogbeat.yml -e.\winlogbeat.exe → Runs the Winlogbeat program to collect windows logs.
-c .\winlogbeat.yml → Uses the winlogbeat.yml file for configuration (tells Winlogbeat where to send logs, like Elasticsearch).
-e → Shows log messages on the screen instead of saving them to a file.
We now need to confirm whether ELK successfully receives logs from Winlogbeat.
From Stack Management → Index Management
Let's apply filters based on specific Event IDs.
4688:A new process has been created.
4624: An account was successfully logged on.
4672: Special privileges assigned to new logon.
Let's create a dashboard that visualizes data of the Client01 machine.
