You need to log in to create posts and topics.

Installing Winlogbeat for Windows

Winlogbeat is a live streaming lightweight shipper for windows event logs. It helps to keep a pulse on what's happening across Windows-based infrastructures.

 

1. Download the Winlogbeat 6.5.4 bit for windows.

https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-6.5.4-windows-x86_64.zip

 

2. Extract the contents of the zip file into C:\Program Files.

 

3. Rename the winlogbeat-6.5.4-windows directory in C:\Program Files to winlogbeat.

 

4. Open a PowerShell prompt as administrator and cd into C:\Program Files.

Tip: Right-click on the PowerShell icon and select "Run as Administrator".

 

5. Set the execution policy to be able to run the execution script. Cd into the winlogbeat folder and run the following script:

PowerShell.exe -ExecutionPolicy Unrestricted -File .\install-service-winlogbeat.ps1

The script is case sensitive

 

6. Configure the winlogbeat.yml  file with the correct Vizion.ai credentials. 

Tip: The easiest way to do this is to open the file up in a code editor such as Visual Studio Code.

Kibana Section:

#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://%5B2001:db8::1]:5601
#host: "localhost:5601"
username: "<username>"
password: "<password>"

 

Pnap users use https://pnap.vizion.ai:443/kibana as the host route. App users use https://app.vizion.ai:443/kibana

 

Elasticsearch Output Section:

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["Vizion.ai API Endpoint"]
# Optional protocol and basic auth credentials.
protocol: "https"
username: "<username>"
password: "<password>"

 

 

7. Test the winlogbeat.yml configuration. In the PowerShell, run the following script in the winlogbeat folder:

.\winlogbeat.exe -e -configtest

Tip: The Winlogbeat configuration will display in the terminal without any ERROR messages if everything has been entered correctly.

 

8. Run the program in the foreground to make sure everything is setup:

.\winlogbeat.exe -c winlogbeat.yml -e -d "*"

This will run Winlogbeat in the terminal and will continually display any logs being added in real-time. They will be coming in quick. Use CTRL-C  to terminate in the foreground process at any time.

 

9. Once the program has run successfully in the foreground, install Winlogbeat as a service:

.\install-service-winlogbeat.ps1

Tip: If installed correctly, the terminal will display the Status, Name, and Display Name.

 

10. Start the Winlogbeat service as a background process.

start-service winlogbeat

Logs should already start appearing in the Vizion.ai Discover tab within seconds.

 

11.  In the "Discover" tab of the Vizion.ai Kibana dashboard, create an index to display the logs. 

Inputting winlogbeat* should match the incoming winlogbeat logs from Windows. Click "next" to continue setting up the index with the desired configuration. Upon completion, the winlogbeat logs from windows should start displaying in real-time as they are created.

Tip: The "Refresh Interval" may need to be modified to a shorter time span to see incoming logs appear.