1. Download Winlogbeat at the following link https://www.elastic.co/downloads/beats/winlogbeat
2. Unzip the file in C:\Program Files
3. Rename folder to Winlogbeat
4.Configure winlogbeat.yml file with probe data and certificates
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
- name: Microsoft-Windows-Sysmon/Operational
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
- name: ForwardedEvents
tags: [forwarded]
#==================== Elasticsearch template setting ====================
setup.template.settings:
index.number_of_shards: 3
#----------------------------- Logstash output --------------------------------
output.logstash:
hosts: ['IP al que se van enviar los logs:5044']
ssl.certificate_authorities: ['C:\Program Files\Winlogbeat\keys\ca.crt']
ssl.certificate: 'C:\Program Files\Winlogbeat\keys\client.crt'
ssl.key: 'C:\Program Files\Winlogbeat\keys\client.key'
ssl.verification_mode: none
#==========================Processors =====================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
**You must generate the certificates yourself and save them in the specified path:
C:\Program Files\Winlogbeat\Keys\
5.Run a PowerSehell console as administrator and run the following command
cd 'C:\Program Files\Winlogbeat'
.\install-service-winlogbeat.ps1
**If script execution is disabled on your system, you must configure the execution policy of the current session to allow the script to be executed.
For example PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article