CentOS 7
Sponsored Link

Elastic Stack 7 : Install Winlogbeat2019/06/17
 
Install Winlogbeat that ships Windows ivent logs to Elasticsearch or Logstash.
This example is based on the environment like follows. 
+----------------------+          |           +----------------------+
|  [  dlp.srv.world  ] |10.0.0.30 | 10.0.0.100| [  fd3s.srv.world  ] |
|    Elasticsearch     +----------+-----------+      Winlogbeat      |
|      (CentOS 7)      |                      |    (Windows 2019)    |
+----------------------+                      +----------------------+
[1] Download Winlogbeat from the pfficial site below on a Windows Server.
⇒ https://www.elastic.co/jp/downloads/beats/winlogbeat
[2] After downloading, extract the file and rename and move to a folder you like.
On this example, locate [C:Program Fileswinlogbeat] like follows.
[3] Run Powershell and add Winlogbeat service like follows.
  PS > cd "C:\Program Files\winlogbeat"
  PS > ./install-service-winlogbeat.ps1
[4] Open the setting file and edit it. ⇒ [C:\Program Files\winlogbeat\winlogbeat.yml] 
# line 20: set items
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

.....
.....

# line 65: if use Kibana, uncomment and specify output host
# if SSL is enabled on Kibana, hostname should be the same with the hostname in certs
setup.kibana:
.....
  host: https://dlp.srv.world:5601

.....
.....

# line 91: specify output host
# if output to Logstash, comment out Elasticsearch and uncomment logstash lines
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["dlp.srv.world:9200"]

.....
.....

#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

[5] After finishing configuration, Start Winlogbeat service.
[6] Make sure the data has been collected normally on Elasticsearch Server.
# index list

[root@dlp ~]#
curl localhost:9200/_cat/indices?v 

health status index                              uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .kibana_task_manager               vxyGU_agTXyFTLac6lDMYg   1   1          2            0     25.6kb         12.8kb
green  open   metricbeat-7.1.1-2019.06.18-000001 cXFRA4p3SaO_Jaahxxx-hw   1   1       3802            0      5.3mb          2.7mb
green  open   winlogbeat-7.1.1-2019.06.18-000001 9mTTgj-TQa2BqFP2e9CGvQ   1   1       1310            0      2.5mb          1.3mb
green  open   .kibana_1                          hF7j0i5iRRSa9hAebihkfg   1   1        904           25      1.4mb        727.3kb
green  open   sshd_fail-2019.06                  Mu9wxqZPTkK2X9biuvGP1g   1   1         34            0     80.9kb         40.4kb
green  open   packetbeat-7.1.1-2019.06.18-000001 1uSGzcBjQXO4VlTOKqtNSA   1   1       5914            0      7.7mb          3.9mb
# document list on the index

[root@dlp ~]#
curl localhost:9200/winlogbeat-7.1.1-2019.06.18-000001/_search?pretty 

{
  "took" : 39,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1310,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "winlogbeat-7.1.1-2019.06.18-000001",
        "_type" : "_doc",
        "_id" : "EGVHaGsBLudYHUk6c4z0",
        "_score" : 1.0,
        "_source" : {
          "@timestamp" : "2019-04-09T05:40:20.497Z",
          "winlog" : {
            "provider_guid" : "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
            "api" : "wineventlog",
            "user" : {
              "type" : "User",
              "identifier" : "S-1-5-18",
              "name" : "SYSTEM",
              "domain" : "NT AUTHORITY"
            },

.....
.....
[7] If Kibana is running, it's possible to import data to sample Dashboards.
  PS > cd "C:\Program Files\winlogbeat"
  PS > ./winlogbeat setup --dashboards
Matched Content