Winlogbeat UTMStack Agent Installation Guide for Windows Server 2008 and 2012

1. Download winlogbeat at the following link: https://www.elastic.co/downloads/beats/winlogbeat 

2. Unzip the file in C:\Program Files 

3. Rename the folder to Winlogbeat 

Configure the winlogbeat.yml file with the probe data and the certificates.

# ======================== Winlogbeat specific options ===================== 

winlogbeat.event_logs: 

- name: Application 

- ignore_older: 72h 

- name: System 

- name: Security 

- name: Microsoft-Windows-Sysmon/Operational 

- name: Windows PowerShell 

event_id: 400, 403, 600, 800 

- name: Microsoft-Windows-PowerShell/Operational name: Microsoft-Windows-PowerShell/Operational 

event_id: 4103, 4104, 4105, 4106 

- name: ForwardedEvents 

tags: [forwarded] 

# =======Configuration of the Elasticsearch template ======= 

setup.template.settings: 

index.number_of_shards: 1 

#index.codec: best_compression 

#_source.enabled: false 

# ---------------------------- Elasticsearch Output ---------------------------- 

#output.elasticsearch:-->Comment this line 

# Array of hosts to connect to. 

#hosts: ["localhost:9200"] -->Comment this line 

# Protocol - either `http` (default) or `https`. 

#protocol: `https`. 

# Authentication credentials - API key or username/password. 

#api_key: "id:api_key" 

#username: "elastic" 

#password: "changeme" 

# pipeline for routing events to security, sysmon, or powershell pipelines. 

pipeline: "winlogbeat-%{[agent.version]}-routing" 

------------------------------ Logstash Output ------------------------------- 

output.logstash: 

# The Logstash hosts 

hosts: ["10.5.40.52:5044"] -->Configure the probe ip where to send the logs to 

# Optional SSL. By default is off. 

# List of root certificates for HTTPS server verifications  

ssl.certificate_authorities: ["C:\Program Files "Winlogbeat "Keys".pem"] 

# Certificate for SSL client authentication 

ssl.certificate: ["C:\Program FilesWinlogbeat\Keyskyskas.pem"] # Client Certificate Key for SSL client authentication 

# Client Certificate Key 

ssl.key: "C:\Program FilesWinlogbeat\Keyscert.key" 

# ==================Processors =================== 

processors: 

- add_host_metadata: 

when.not.contains.tags: forwarded. 

- add_cloud_metadata: ~  

**The certificates must be generated by yourself and saved in the specified path: 

C:\Program Files "Winlogbeat". 

4. Run a PowerSehell console as administrator and run the following command 

cd 'C:\Program FilesWinlogbeat'. 

.\install-service-winlogbeat.ps1

**If script execution is disabled on your system, you will need to configure the current session execution policy to allow the script to run. For example PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.