05.Winlogbeat Configuration
Winlogbeat acts as a lightweight log shipper developed by Elastic, designed specifically to collect and send Windows event logs to Elasticsearch or Logstash for centralized monitoring and analysis.
Throughout this step, we will:
Configure Winlogbeat to collect security and system events.
Set up the connection between Winlogbeat and the ELK server.
Test and verify that the logs are successfully reaching Elasticsearch.
By the end of this section, our Windows Server will be fully integrated with the SIEM, enabling real-time visibility of system activities and security events directly in Kibana dashboards.
𧩠Step 1 β Configuring Winlogbeat
In this section, we configured Winlogbeat on the Windows Server machine (LAB-WIN-SERVER) to collect event logs and forward them to the SIEM (ELK Stack) hosted on LAB-ELK-N8N.
Before doing anything else, Iβll make sure that the Windows Server can connect to our SIEM system :
Step 1 β Edit the Configuration File
Open PowerShell as Administrator, then edit the main configuration file:
notepad "C:\Program Files\Winlogbeat\winlogbeat.yml"
Under the winlogbeat.event_logs: section, define the main Windows event channels to monitor:
# =============== Winlogbeat specific options =========
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
ignore_older: 72h
- name: Security
ignore_older: 72h
- name: Microsoft-Windows-Sysmon/Operational
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
- name: ForwardedEvents
tags: [forwarded]
Step 2 β Configure Kibana and Elasticsearch Output
Under the Kibana section:
# =================== Kibana ==================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "http://192.168.1.16:5601"
#ssl.verification_mode: none
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
If itβs using HTTPS, Iβll remove the comment (#) from the SSL section in the configuration file.
Under the Elasticsearch output and Add template settings :
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
setup.template.enabled: true
setup.template.name: "as-win-abdelwahab-shandy-winlogbeat"
setup.template.pattern: "as-win-abdelwahab-shandy-winlogbeat-*"
setup.ilm.enabled: false
winlogbeat.index: "as-win-abdelwahab-shandy-winlogbeat-%{+yyyy.MM.dd}"
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["https://192.168.1.16:9200"]
ssl.verification_mode: none
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "3lSq=GCEWU1ygpW_cEkl"
# Pipeline to route events to security, sysmon, or powershell pipelines.
# pipeline: "winlogbeat-%{[agent.version]}-routing"
Step 3 β Install and Start the Winlogbeat Service
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
.\install-service-winlogbeat.ps1
Start-Service winlogbeat
Then confirm the service status:
Get-Service winlogbeat
Step 4 β Test Configuration and Connectivity
Validate syntax:
.\winlogbeat.exe test config
|
|
Config OK
β
Output: Config OK
Check Elasticsearch connection:
.\winlogbeat.exe test output
|
|
elasticsearch: https://192.168.1.16:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.1.16
dial up... OK
TLS...
security... WARN server's certificate chain verification is disabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 9.1.4
β Output: Successful connection (TLSv1.3)
Step 5 β Load Dashboards and Pipelines
.\winlogbeat.exe setup -e
π’ This automatically loads:
-
Index templates
-
Ingest pipelines
-
Default Winlogbeat dashboards
All successfully verified with logs such as:
Kibana dashboards successfully loaded.
Loaded Ingest pipelines
π Verifying Logs in Kibana
After completing the configuration of Winlogbeat and starting the service, the next step is to verify that logs are being received and indexed correctly in the ELK Stack.
Step 1 β Access Kibana
Open your browser and navigate to:
https://192.168.1.16:5601 # OR Your IP
Log in using your Elasticsearch credentials:
-
Username: elastic
-
Password: (your password from installation)
After that, go to Analytics β Discover And Simpal Search:
Our machineβs name is already set to: