FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Sans SEC505
    • Powershell Scripting Fundamentals
    • Book One
      • The Object-Oriented Command Shell
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • WEInnovate Training
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Fluent-Bit
      • Winlogbeat & Filebeat
      • Send Logs from Winlogbeat through Logstash to ELK
      • Audit policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Boss of the SOC V1 - Web Defacement
    • Lumma C2
    • Network Analysis
Powered by GitBook
On this page
  • Winlogbeat
  • Filebeat
  1. WEInnovate Training
  2. Build ELK Lab

Winlogbeat & Filebeat

PreviousFluent-Bit NextSend Logs from Winlogbeat through Logstash to ELK

Last updated 17 days ago

Winlogbeat

We will begin by installing Winlogbeat on our Windows machine.

  • Winlogbeat: https://www.elastic.co/downloads/beats/winlogbeat

Next, we need to extract the contents into C:\Program Files

Next, let's run the following commands to install the service.

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1

Next, we need to modify the winlogbeat.yml configuration file to enable the Windows event logs we want to collect:

Event IDs:

  • 4688: A new process has been created.

  • 4624: An account was successfully logged on.

  • 4625: An account failed to log on.

  • 4720: A user account was created.

  • 1102: The audit log was cleared

Next, let's update the Elasticsearch output section:

  • ssl.verification_mode: none→ This will bypass the certificate check.

  • protocol: "https" → This tells Winlogbeat to use the HTTPS protocol when connecting.

This configures Winlogbeat to securely (or at least over HTTPS, though without SSL verification) send logs to a specific Elasticsearch server using a username and password.

Now, we need to test the configuration file to identify any potential issues.

.\winlogbeat.exe test config -c .\winlogbeat.yml -e

We can also test the connection to our output by running:

.\winlogbeat.exe test output -c .\winlogbeat.yml -e

Next, we need to start the winlogbeat service:

Start-Service winlogbeat
Get-Service winlogbeat

Next, we need to run Winlogbeat using the winlogbeat.yml configuration file and shows real-time logs in the console.

.\winlogbeat.exe -c .\winlogbeat.yml -e

  • .\winlogbeat.exe → Runs the Winlogbeat program to collect windows logs.

  • -c .\winlogbeat.yml → Uses the winlogbeat.yml file for configuration (tells Winlogbeat where to send logs, like Logstash).

  • -e → Shows log messages on the screen instead of saving them to a file

Now, let's verify that the logs are properly displayed in Kibana.

Filebeat

Let's start by adding Elastic’s GPG key to verify the packages:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg 
--dearmor -o /usr/share/keyrings/elastic-keyring.gpg

Next, we need to add the Elastic repository to our system:

echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] 
https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee 
/etc/apt/sources.list.d/elastic-8.x.list

Next, let's update the package list and install Filebeat.

sudo apt update && sudo apt install filebeat

The next step is to open the Filebeat configuration file.

sudo nano /etc/filebeat/filebeat.yml

Filebeat is configured to read logs from system logs (/var/log/*.log).

Now we need to edit the file also to send logs directly to Elasticsearch.

Next, we need to start the Filebeat service and configure it to launch automatically at system startup.

sudo systemctl start filebeat
sudo systemctl enable filebeat
sudo systemctl status filebeat

Let's check the Filebeat configuration for any errors.

sudo filebeat test config

Let's also test the connection to Elasticsearch by running:

sudo filebeat test output

Let's verify whether the logs are being displayed in ELK.