Winlogbeat – Collecting and Forwarding Windows Event Logs.

Winlogbeat

Winlogbeat is a lightweight log shipper from the Beats family that collects and forwards Windows event logs to Elasticsearch or Logstash for analysis and visualization in Kibana.It runs as a Windows service and can be configured to send logs directly to Elasticsearch or through Logstash for further processing.

Browsing the official Elastic Downloads page, download the appropriate Winlogbeat.zip file for your Windows machine.

Next, we need to extract the contents into C:\Program Files

Next, let's run the following commands to install the service.

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1

Next, we need to modify the winlogbeat.yml configuration file to enable the Windows event logs we want to collect:

Event IDs:

  • 4688: A new process has been created.

  • 4624: An account was successfully logged on.

  • 4625: An account failed to log on.

  • 4720: A user account was created.

  • 1102: The audit log was cleared

Next, let's update the Elasticsearch output section:

  • ssl.verification_mode: none→ This will bypass the certificate check.

  • protocol: "https" → This tells Winlogbeat to use the HTTPS protocol when connecting.

Now, we need to test the configuration file to identify any potential issues.

.\winlogbeat.exe test config -c .\winlogbeat.yml -e

We can also test the connection to our output by running:

.\winlogbeat.exe test output -c .\winlogbeat.yml -e

Next, we need to start the winlogbeat service:

Start-Service winlogbeat
Get-Service winlogbeat

Next, we need to run Winlogbeat using the winlogbeat.yml configuration file and shows real-time logs in the console.

.\winlogbeat.exe -c .\winlogbeat.yml -e

  • .\winlogbeat.exe → Runs the Winlogbeat program to collect windows logs.

  • -c .\winlogbeat.yml → Uses the winlogbeat.yml file for configuration (tells Winlogbeat where to send logs, like Logstash).

  • -e → Shows log messages on the screen instead of saving them to a file

Now, let's verify that the logs are properly displayed in Kibana.

Now, with computer name Windows10 I try login incorrect passowrd.

Now we will use filter to find event ID 4625 and hostname Windows10

event.code: "4625" and host.hostname: "Windows10"

We will see logon_failed events.

PreviousFluent Bit – Sending Logs to ELK with Fluent BitNextFilebeat – Collecting and Forwarding Windows Event Logs.

Last updated

Was this helpful?