Collect Windows logs with Winlogbeat

According to the 2022 report of Operating System Market Share Worldwide, the most used operating system in the world is still windows with 29 percent.

According to the report of the Statista website, the most malicious software in 2020 was written for the windows operating system with a rate of 83.45 percent. Also Google’s VirusTotal reports at 2021 that 95% of ransomware spotted targets Windows. In this case, it makes us think, this is the system most in need of protection.

If your network is protected by ELK Stack, the log transfer tool you need is Winlogbeat.

If you like this article you can notify me with clap.

Now that we have seen the statistics, we can proceed to the winlogbeat installation. Let’s deep dive into Winlogbeat.

  • We will download installation file from offical Elastic page.

cd ‘C:\Program Files\Winlogbeat’ (and press tab)

  • Install Winlogbeat with this command

.\install-service-winlogbeat.ps1

If your Powershell Execution Policy is active, use this command

PowerShell.exe -ExecutionPolicy UnRestricted -File
.\install-service-winlogbeat.ps1.

If Winlogbeat installed with success you will see this lines.

We will configure winlogbeat.yml file at same location.

notepad.exe .\winlogbeat.yml

We add the event log lines from the Github taylor-swanson repo to our winlogbeat.yml file.

winlogbeat.event_logs:
- name: Application
ignore_older: 72h

- name: System

- name: Security

- name: ForwardedEvents
tags: [forwarded]

- name: Windows PowerShell
event_id: 400, 403, 600, 800

- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106

After adding the ip of the ELk server, we are done with the .yml file.

ELK Server IP

Run this command for test configuration file

.\winlogbeat.exe test config -c .\winlogbeat.yml -e

If there is no error we can keep going.

We start our winlogbeat service.

Start-Service Winlogbeat

And we can check started service with this command.

services.msc

You can see Winlogbeat logs at this location C:\ProgramData\winlogbeat\Logs\winlogbeat

Your event logs are already on their way to the Elk stack. Thanks for reading.

\

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Orhan Öztaş

Blue Team Member. I am writing articles for helping you about cyber security.