You need to log in to create posts and topics.

Installing Auditbeat for Windows

Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.


1. Download the Auditbeat 6.5.4 for windows.


2. Extract the contents of the zip file into C:\Program Files.


3. Rename the auditbeat-6.5.4-windows directory in C:\Program Files to auditbeat.


4. Open a PowerShell prompt as administrator and cd into C:\Program Files

Tip: Right-click on the PowerShell icon and select "Run as Administrator".


5.  Set the execution policy to be able to run the execution script. Cd into the auditbeat folder and run the following script:

PowerShell.exe -ExecutionPolicy Unrestricted -File .\install-service-auditbeat.ps1

The script is case sensitive.


6. Configure the auditbeat.yml  file with the correct credentials. 

Tip: The easiest way to do this is to open the file up in a code editor such as Visual Studio Code.

Modules Section:

#==========================  Modules configuration =============================
- module: file_integrity
  - C:/windows
  - C:/windows/system32
  - C:/Program Files
  - C:/Program Files (x86)


These are the stock directory paths that come with Auditbeat. Paths can be configured to any directory but cannot be set to a specific file.


Kibana Section:

#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://%5B2001:db8::1]:5601
#host: "localhost:5601"
username: "<username>"
password: "<password?"


Pnap users use as the host route. App users use


Elasticsearch Section:

#-------------------------- Elasticsearch output ------------------------------
# Array of hosts to connect to.
hosts: [" API Endpoint"]
# Optional protocol and basic auth credentials.
protocol: "https"
username: "<username>"
password: "<password>"



7. Test the auditbeat.yml configuration. In the PowerShell, run the following script in the auditbeat folder:

.\auditbeat.exe -e -configtest

Tip: The Auditbeat configuration will display in the terminal without any ERROR messages if everything has been entered correctly.


8. Setup pre-configured Dashboards in Kibana. 

.\auditbeat.exe setup --dashboards

This will load the pre-configured dashboards and indexing into Kibana automatically.


9. Run the program in the foreground to make sure everything is setup:

.\auditbeat.exe -c auditbeat.yml -e -d "*"

This will run Auditbeat in the terminal and will continually display any logs being added in real-time. Use CTRL-C  to terminate in the foreground process at any time.


10. Once the program has run successfully in the foreground, install Auditbeat as a service:


Tip: If installed correctly, the terminal will display the Status, Name, and Display Name.


11. Start the Auditbeat service as a background process.

start-service auditbeat

Logs should already start appearing in the Discover tab within seconds.


12.  In the "Discover" tab of the Kibana dashboard, create an index to display the logs. 

Inputting auditbeat* should match the incoming auditbeat logs from Windows. Click "next" to continue setting up the index with the desired configuration. Upon completion, the auditbeat logs from windows should start displaying in real-time as they are created.

Tip: The "Refresh Interval" may need to be modified to a shorter time span to see incoming logs appear.