# Set up Winlogbeat & Filebeat for log collection ## Winlogbeat We will begin by installing Winlogbeat on our Windows machine. * ***`Winlogbeat`***: Next, we need to extract the contents into `C:\Program Files`

Next, let's run the following commands to install the service. ```bash PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1 ```

Next, we need to modify the `winlogbeat.yml` configuration file to enable the Windows event logs we want to collect:

**Event IDs:** * ***`4688`***: A new process has been created. * ***`4624`***: An account was successfully logged on. * ***`4625`***: An account failed to log on. * ***`4720`***: A user account was created. * ***`1102`***: The audit log was cleared Next, let's update the Elasticsearch output section:

* ***`ssl.verification_mode: none`***→ This will bypass the certificate check. * ***`protocol: "https"`*** → This tells Winlogbeat to use the HTTPS protocol when connecting. This configures Winlogbeat to securely (or at least over HTTPS, though without SSL verification) send logs to a specific Elasticsearch server using a username and password. Now, we need to test the configuration file to identify any potential issues. ```powershell .\winlogbeat.exe test config -c .\winlogbeat.yml -e ```

We can also test the connection to our output by running: ```powershell .\winlogbeat.exe test output -c .\winlogbeat.yml -e ```

Next, we need to start the **`winlogbeat`** service: ```powershell Start-Service winlogbeat Get-Service winlogbeat ```

Next, we need to run **Winlogbeat** using the `winlogbeat.yml` configuration file and shows real-time logs in the console. ```powershell .\winlogbeat.exe -c .\winlogbeat.yml -e ```

* `.\winlogbeat.exe` → Runs the Winlogbeat program to collect windows logs. * `-c .\winlogbeat.yml` → Uses the **winlogbeat.yml** file for configuration (tells Winlogbeat where to send logs, like Logstash). * `-e` → Shows log messages **on the screen** instead of saving them to a file Now, let's verify that the logs are properly displayed in Kibana.

## Filebeat Let's start by adding Elastic’s GPG key to verify the packages: ```bash wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg ```

Next, we need to add the Elastic repository to our system: ```bash echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list ```

Next, let's update the package list and install Filebeat. ```bash sudo apt update && sudo apt install filebeat ```

The next step is to open the Filebeat configuration file. ```bash sudo nano /etc/filebeat/filebeat.yml ```

**Filebeat** is configured to read logs from system logs (`/var/log/*.log`). Now we need to edit the file also to send logs directly to **Elasticsearch.**

Next, we need to start the Filebeat service and configure it to launch automatically at system startup. ```bash sudo systemctl start filebeat sudo systemctl enable filebeat sudo systemctl status filebeat ```

Let's check the **`Filebeat`** configuration for any errors. ```bash sudo filebeat test config ```

Let's also test the connection to **`Elasticsearch`** by running: ```bash sudo filebeat test output ```

Let's verify whether the logs are being displayed in ELK.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/weinnovate-training/build-elk-lab/set-up-winlogbeat-and-filebeat-for-log-collection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.