Collect Windows logs with Winlogbeat
According to the 2022 report of Operating System Market Share Worldwide, the most used operating system in the world is still windows with 29 percent.
According to the report of the Statista website, the most malicious software in 2020 was written for the windows operating system with a rate of 83.45 percent. Also Google’s VirusTotal reports at 2021 that 95% of ransomware spotted targets Windows. In this case, it makes us think, this is the system most in need of protection.
If your network is protected by ELK Stack, the log transfer tool you need is Winlogbeat.
If you like this article you can notify me with clap.
Now that we have seen the statistics, we can proceed to the winlogbeat installation. Let’s deep dive into Winlogbeat.
- We will download installation file from offical Elastic page.
- Move the Winlogbeat folder to C:\Program Files\
- Run Powershell with Administration privilege
- Go to Winlogbeat directory with cd command
cd ‘C:\Program Files\Winlogbeat’ (and press tab)
- Install Winlogbeat with this command
If your Powershell Execution Policy is active, use this command
PowerShell.exe -ExecutionPolicy UnRestricted -File
If Winlogbeat installed with success you will see this lines.
We will configure winlogbeat.yml file at same location.
We add the event log lines from the Github taylor-swanson repo to our winlogbeat.yml file.
- name: Application
- name: System
- name: Security
- name: ForwardedEvents
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
After adding the ip of the ELk server, we are done with the .yml file.
Run this command for test configuration file
.\winlogbeat.exe test config -c .\winlogbeat.yml -e
If there is no error we can keep going.
We start our winlogbeat service.
And we can check started service with this command.
You can see Winlogbeat logs at this location C:\ProgramData\winlogbeat\Logs\winlogbeat
Your event logs are already on their way to the Elk stack. Thanks for reading.