📒
Book of VanLuong
  • 👨‍💻About the Author
  • Cryptography
    • Cryptanalysis
      • RSA & RSA ATTACK
      • DES (Data Encryption Standard)
      • AES (Advanced Encryption Standard)
      • ECC ( Elliptic Curve of Cryptography)
      • Group-based Cryptography
      • Lattice-based Cryptography
      • ChaCha20-Poly1305
      • Hash Function
      • Wargame CTF
  • C2
    • Practical with Havoc Framework
  • Blue Teaming
    • SIEM & SOC
      • SIEM
      • SOC
      • Splunk
    • Cybersecurity Lab & Threat Intelligence
      • Build ELK Lab
        • Configure Elasticsearch and Kibana setup in ubuntu
        • Fluent Bit – Sending Logs to ELK with Fluent Bit
        • Winlogbeat – Collecting and Forwarding Windows Event Logs.
        • Filebeat – Collecting and Forwarding Windows Event Logs.
        • Send Logs from Winlogbeat through Logstash to ELK
        • Audit policy & Winlogbeat
      • Sysmon configuration
    • PowerShell in Incident Response and Threat Hunting
      • PowerShell For Incident Response
      • PowerShell For Threat Hunting
  • Techniques used in malware
    • DLL side loading
    • DLL Unhooking
    • Call stack spoofing
  • Wazuh App Dashboards for Splunk
  • Windows
    • 70 Vital Windows Commands
    • Windows Registry Forensics
  • Guide to Installing Kali Linux, DVWA, and bWAPP
    • Phần 1. CÀI ĐẶT HỆ ĐIỀU HÀNH KALI LINUX
    • Phần 2. CÀI ĐẶT DVWA
    • Phần 3. CÀI ĐẶT BWAPP
  • CTF
    • CTF-writeup-in-KCSC
Powered by GitBook
On this page

Was this helpful?

  1. Blue Teaming
  2. Cybersecurity Lab & Threat Intelligence
  3. Build ELK Lab

Winlogbeat – Collecting and Forwarding Windows Event Logs.

PreviousFluent Bit – Sending Logs to ELK with Fluent BitNextFilebeat – Collecting and Forwarding Windows Event Logs.

Last updated 3 months ago

Was this helpful?

Winlogbeat

Winlogbeat is a lightweight log shipper from the Beats family that collects and forwards Windows event logs to Elasticsearch or Logstash for analysis and visualization in Kibana.It runs as a Windows service and can be configured to send logs directly to Elasticsearch or through Logstash for further processing.

Browsing the official page, download the appropriate Winlogbeat.zip file for your Windows machine.

Next, we need to extract the contents into C:\Program Files

Next, let's run the following commands to install the service.

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1

Next, we need to modify the winlogbeat.yml configuration file to enable the Windows event logs we want to collect:

Event IDs:

  • 4688: A new process has been created.

  • 4624: An account was successfully logged on.

  • 4625: An account failed to log on.

  • 4720: A user account was created.

  • 1102: The audit log was cleared

Next, let's update the Elasticsearch output section:

  • ssl.verification_mode: none→ This will bypass the certificate check.

  • protocol: "https" → This tells Winlogbeat to use the HTTPS protocol when connecting.

Now, we need to test the configuration file to identify any potential issues.

.\winlogbeat.exe test config -c .\winlogbeat.yml -e

We can also test the connection to our output by running:

.\winlogbeat.exe test output -c .\winlogbeat.yml -e

Next, we need to start the winlogbeat service:

Start-Service winlogbeat
Get-Service winlogbeat

Next, we need to run Winlogbeat using the winlogbeat.yml configuration file and shows real-time logs in the console.

.\winlogbeat.exe -c .\winlogbeat.yml -e

  • .\winlogbeat.exe → Runs the Winlogbeat program to collect windows logs.

  • -c .\winlogbeat.yml → Uses the winlogbeat.yml file for configuration (tells Winlogbeat where to send logs, like Logstash).

  • -e → Shows log messages on the screen instead of saving them to a file

Now, let's verify that the logs are properly displayed in Kibana.

Now, with computer name Windows10 I try login incorrect passowrd.

Now we will use filter to find event ID 4625 and hostname Windows10

event.code: "4625" and host.hostname: "Windows10"

We will see logon_failed events.

Elastic Downloads