CentOS 7
Sponsored Link

Elastic Stack : Install Winlogbeat
2017/05/13
 
Install Winlogbeat that ships Windows ivent logs to Elasticsearch or Logstash.
This example is based on the environment like follows.
+----------------------+          |          +----------------------+
|  [  dlp.srv.world  ] |10.0.0.30 | 10.0.0.70| [  fd3s.srv.world  ] |
|    Elasticsearch     +----------+----------+      Winlogbeat      |
|      (CentOS 7)      |                     |    (Windows 2016)    |
+----------------------+                     +----------------------+

[1]
Download Winlogbeat from the pfficial site below on a Windows Server.
⇒ https://www.elastic.co/jp/downloads/beats/winlogbeat
[2] After downloading, extract the file and rename and move to a folder you like.
On this example, locate [C:\Program Files\winlogbeat] like follows.
[3] Run Powershell and add Winlogbeat service like follows.
  PS > cd "C:\Program Files\winlogbeat"
  PS > ./install-service-winlogbeat.ps1
[4] Open the setting file and edit it. ⇒ [C:\Program Files\winlogbeat\winlogbeat.yml]
# line 20: set items
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

.....
.....

# line 47: specify output destination
# if output to Logstash, comment out there lines and uncomment the line 57,59
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["10.0.0.30:9200"]

.....
.....

#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]


[5] After finishing configuration, Start Winlogbeat service.
[6] Make sure the data has been collected normally.
# index list

[root ~]#
curl localhost:9200/_cat/indices?v

health status index                 uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   sshd_fail-2017.05     owhoRGiwTWGdZaqKAMw66g   5   1        104            0    400.8kb        400.8kb
yellow open   heartbeat-2017.05.13  YZlmpM9FQKa3mLYjB2hybA   5   1       1320            0      849kb          849kb
yellow open   metricbeat-2017.05.13 fPuXG63yScKddvEfnGal8Q   5   1      51841            0       26mb           26mb
yellow open   filebeat-2017.05.13   AvanfxyiQzebNO4Y1ZUhYg   5   1         19            0     33.5kb         33.5kb
yellow open   .kibana               FGjE6bGUTlioELtM_QynMQ   1   1        222           23    356.5kb        356.5kb
yellow open   packetbeat-2017.05.13 lghVPcOsSbCQF0jXVo3iRA   5   1      10986            0      5.8mb          5.8mb
yellow open   winlogbeat-2017.05.12 XbL8prmiQruOHCCDaEIY6Q   5   1        659            0      1.3mb          1.3mb

# document list on the index

[root ~]#
curl localhost:9200/winlogbeat-2017.05.12/_search?pretty

{
  "took" : 4,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 659,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "winlogbeat-2017.05.12",
        "_type" : "wineventlog",

.....
.....
[7] If Kibana is running, it's possible to use import script to Dashboard.
  PS > cd "C:\Program Files\winlogbeat"
  PS > ./import_dashboards.exe -es (Elasticsearch Host)
 
Tweet