Sending Windows Logs using WinLogbeat

Auditing Windows
Editorial Team

Sending Windows Logs using WinLogbeat

Download Winlogbeat – Download here (64-bit)

Step 1: Download and extract winlogbeat.zip to c:\program files\  (Should look like the image below)

Step 2: Open the winlogbeat.yml and edit with notepad:

We will add the following under winlogbeat.event_logs:

winlogbeat.event_logs:

  - name: Security

    event_id: 1102,4608,4609,4624-4648, 4700-4800,4950

    ignore_older: 72h

  - name: Application

    event_id: 1000,1002,1001

    ignore_older: 72h

  - name: "Microsoft-Windows-TaskScheduler/Operational"

    event_id: 141,106,142,140,129

    ignore_older: 72h

  - name: System

    event_id: 104,102,1102,4719,6005,7022,7023,7024,7025,7026,7031,7032,7034,7045,4697,7022,7023,104,6

    ignore_older: 72h

  - name: "Microsoft-Windows-Application-Experience/Program-Inventory"

    event_id: 903,904

    ignore_older: 72h

  - name: "Microsoft-Windows-TerminalServices-RDPClient/Operational,Microsoft-Windows-TerminalServices-LocalSessionManager/Admin,Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

    event_id: 21,23,24,25,1102

    ignore_older: 72h

  - name: "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity,Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose,Microsoft-Windows-Windows Firewall With Advanced Security/Firewall,Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose,Microsoft-Windows-Windows Firewall With Advanced Security/Network Isolation Operational"

    event_id: 2004,2005,2006,2033,2009

    ignore_older: 72h

  - name: "Microsoft-Windows-WindowsUpdateClient/Operational"

    event_id: 20,24,25,31,34,35

    ignore_older: 72h

ignore_older will only log the past 72 hours when winlogbeat starts as opposed to everything in the event log history.

Next, scroll down until you get to output.logstash: here you will add the MOH logstash server information

output.logstash:

  # The Logstash hosts

  hosts: ["logstashserver_dns_name:5044"]

  index: winlogbeat

Save the winlogbeat.yml and exit.

 

Step 3: Install Winlogbeat as a service

Launch Powershell (Run as Administrator) – and enter the following:

cd "C:\Program Files\Winlogbeat"

powershell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1

Start-Service winlogbeat

Verify that the service is running.

Related Posts

Back To Top