Winlogbeat UTMStack Agent Installation Guide for Windows Server 2008 and 2012

Created by Juan Manuel Libera Frómeta, Modified on Wed, 08 Feb 2023 at 05:06 AM by Juan Manuel Libera Frómeta

1. Download winlogbeat at the following link: 

2. Unzip the file in C:\Program Files 

3. Rename the folder to Winlogbeat 

Configure the winlogbeat.yml file with the probe data and the certificates.

# ======================== Winlogbeat specific options ===================== 


- name: Application 

- ignore_older: 72h 

- name: System 

- name: Security 

- name: Microsoft-Windows-Sysmon/Operational 

- name: Windows PowerShell 

event_id: 400, 403, 600, 800 

- name: Microsoft-Windows-PowerShell/Operational name: Microsoft-Windows-PowerShell/Operational 

event_id: 4103, 4104, 4105, 4106 

- name: ForwardedEvents 

tags: [forwarded] 

# =======Configuration of the Elasticsearch template ======= 


index.number_of_shards: 1 

#index.codec: best_compression 

#_source.enabled: false 

# ---------------------------- Elasticsearch Output ---------------------------- 

#output.elasticsearch:-->Comment this line 

# Array of hosts to connect to. 

#hosts: ["localhost:9200"] -->Comment this line 


# Protocol - either `http` (default) or `https`. 

#protocol: `https`. 

# Authentication credentials - API key or username/password. 

#api_key: "id:api_key" 

#username: "elastic" 

#password: "changeme" 

# pipeline for routing events to security, sysmon, or powershell pipelines. 

pipeline: "winlogbeat-%{[agent.version]}-routing" 

------------------------------ Logstash Output ------------------------------- 


# The Logstash hosts 

hosts: [""] -->Configure the probe ip where to send the logs to 

# Optional SSL. By default is off. 

# List of root certificates for HTTPS server verifications  

ssl.certificate_authorities: ["C:\Program Files "Winlogbeat "Keys".pem"] 

# Certificate for SSL client authentication 

ssl.certificate: ["C:\Program FilesWinlogbeat\Keyskyskas.pem"] # Client Certificate Key for SSL client authentication 

# Client Certificate Key 

ssl.key: "C:\Program FilesWinlogbeat\Keyscert.key" 

# ==================Processors =================== 


- add_host_metadata: 

when.not.contains.tags: forwarded. 

- add_cloud_metadata: ~  

**The certificates must be generated by yourself and saved in the specified path: 

C:\Program Files "Winlogbeat". 

4. Run a PowerSehell console as administrator and run the following command 

cd 'C:\Program FilesWinlogbeat'. 



**If script execution is disabled on your system, you will need to configure the current session execution policy to allow the script to run. For example PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1. 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article