WinLogBeat for Windows Event logs
This guide uses PowerShell for setup / installation!
WinLogBeat is a small applet that allows you to export Windows Event logs to Elasticsearch / Logstash.
1. Download WinLogBeat from elastic.co.
To download from PowerShell you can use
wget https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.2.0-windows-x86_64.zip "C:\Program Files\WinLogBeat\WinLogBeat.zip"
At the time of this page creation, WinLogBeat is at version 7.2.0.
2. Extract the WinLogBeat zip file to its new home directory.
In PowerShell you can use Expand-Archive to extract the zip file.
Expand-Archive -Path "C:\Program Files\WinLogBeat\WinLogBeat.zip" -DestinationPath "C:\Program Files\WinLogBeat"; Remove-Item -Path "C:\Program Files\WinLogBeat\WinLogBeat.zip"
3. Configure the
notepad "C:\Program Files\WinLogBeat\winglogbeat.yml"
4. Install WinLogBeat as a service.
Now you can do this before step 3 if you want but its just easier to edit the config first and then install the service.
Open an elevated PowerShell window (If you are on Windows Server or Server Core and logged in as Admin you default to elevated PS).
cd 'C:\Program Files\WinLogBeat'; ./install-service-winlogbeat.ps1
5. (OPTIONAL) Log in to Kibana and verify that Elasticsearch / Logstash is receiving log files.
You can verify they are getting data by checking your index patterns to see if a new one is listed for WinLogBeat.
Here is an example of a WinLogBeat log in Kibana. This is for a custom WatchDog PowerShell script I have setup for watching my Plex Media Server. This log is being directly sent to Elasticsearch without any type of editing from Logstash. - Alexander Henderson
The script uses PowerShell's built in Event Log writing.