CentOS Stream 8
Sponsored Link

Elastic Stack 7 : Install Winlogbeat2021/06/22
 
Install Winlogbeat that ships Windows ivent logs to Elasticsearch or Logstash.
This example is based on the environment like follows. 
+----------------------+          |           +----------------------+
|  [  dlp.srv.world  ] |10.0.0.30 | 10.0.0.101| [  rx-7.srv.world  ] |
|    Elasticsearch     +----------+-----------+      Winlogbeat      |
|                      |                      |    (Windows 2019)    |
+----------------------+                      +----------------------+
[1] Download Winlogbeat from the pfficial site below on a Windows Server.
⇒ https://www.elastic.co/jp/downloads/beats/winlogbeat
[2] After downloading, extract the file and rename and move to a folder you like.
On this example, locate [C:\Program Files\winlogbeat] like follows.
[3] Run Powershell and add Winlogbeat service like follows.
  PS > cd "C:\Program Files\winlogbeat"
  PS > ./install-service-winlogbeat.ps1
[4] Open the setting file and edit it. ⇒ [C:\Program Files\winlogbeat\winlogbeat.yml] 
# line 21 : set items
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

.....
.....

# line 126 : if use Kibana, uncomment and specify output host
# if SSL is enabled on Kibana, hostname should be the same with the hostname in certs
setup.kibana:
.....
  host: "https://dlp.srv.world:5601"

.....
.....

# line 153 : specify output host
# if output to Logstash, comment out Elasticsearch and uncomment logstash lines
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["dlp.srv.world:9200"]

.....
.....

#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

[5] After finishing configuration, Start Winlogbeat service.
[6] Verify status the data has been collected normally on Elasticsearch Server Host.
# index list

[root@dlp ~]#
curl localhost:9200/_cat/indices?v 

health status index                               uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .apm-agent-configuration            y3hQme2SQpGMtb64NLsNdA   1   0          0            0       208b           208b
yellow open   winlogbeat-7.13.2-2021.06.22-000001 gTKUKWkrQdWP_TzEnrlowA   1   1       1910            0      1.5mb          1.5mb
yellow open   heartbeat-7.13.2-2021.06.22-000001  LHK787g7S92UFiUXDDrwpQ   1   1        583            0      716kb          716kb
green  open   .kibana_7.13.2_001                  zA_r0rrjT7OMUMVSGmRVfg   1   0       4891          250      3.5mb          3.5mb
green  open   .apm-custom-link                    d1-9Pkn-RXOu_qhMOanvVA   1   0          0            0       208b           208b
green  open   .kibana-event-log-7.13.2-000001     Y-rCmM6yTBKa9W5H1LeJ1g   1   0          1            0      5.6kb          5.6kb
yellow open   filebeat-7.13.2-2021.06.22-000001   c18zEwqAQVeNecW7d6EAQg   1   1      11859            0      1.8mb          1.8mb
yellow open   auditbeat-7.13.2-2021.06.22-000001  -kMW1wnKQ9-b8WjnJmvScA   1   1       5103            0      4.4mb          4.4mb
green  open   .async-search                       WRLoMwCITRKD3C_BrFJ9bw   1   0         60            0     91.5kb         91.5kb
green  open   .kibana_task_manager_7.13.2_001     x6V232xKQLinqRedJRAbgw   1   0         10          149    190.9kb        190.9kb
yellow open   packetbeat-7.13.2-2021.06.22-000001 nYN59YPRQwGmDrMRXijZxA   1   1      84517            0     30.9mb         30.9mb
yellow open   test_index                          Vh0HutpLRciaMWX3pFo7Zg   1   1          1            0      5.5kb          5.5kb
yellow open   sshd_fail-2021.06                   HiOI2ac-RzK2BiwQ_gb-VQ   1   1         43            0     68.7kb         68.7kb
yellow open   metricbeat-7.13.2-2021.06.22-000001 aVbbCHScQBujmT8JMRdRBw   1   1      23344            0     16.9mb         16.9mb
# document list on the index

[root@dlp ~]#
curl localhost:9200/winlogbeat-7.13.2-2021.06.22-000001/_search?pretty 

{
  "took" : 6,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1910,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "winlogbeat-7.13.2-2021.06.22-000001",
        "_type" : "_doc",
        "_id" : "oEh3MnoB17m8ogOl-H9c",
        "_score" : 1.0,
        "_source" : {
          "@timestamp" : "2020-12-18T20:54:18.473Z",
          "message" : "The start type of the bfadi service was changed from demand start to boot start.",
          "host" : {
            "name" : "WIN-F2RJGVI7QMA",
            "hostname" : "rx-7",
            "architecture" : "x86_64",
            "os" : {
              "version" : "10.0",
              "family" : "windows",
              "name" : "Windows Server 2019 Datacenter Evaluation",
              "kernel" : "10.0.17763.1637 (WinBuild.160101.0800)",
              "build" : "17763.1637",
              "type" : "windows",
              "platform" : "windows"
            },
            "id" : "20b8dbe8-4f83-4d6e-833e-42850b9a847f",
            "ip" : [
              "fe80::39b2:2cfe:ae59:2980",
              "10.0.0.101"
            ],
.....
.....
[7] If Kibana is running, it's possible to import data to sample Dashboards.
  PS > cd "C:\Program Files\winlogbeat"
  PS > ./winlogbeat setup --dashboards
Matched Content