rss logo

Elastic Stack 8 - Winlogbeat to monitor Windows Servers

Beats logo

We have previously seen how to install Elastic Stack Part I and how to monitor Cisco Switches (Part II) I will describe here how we can monitor Windows Machines.

To do so we need to install Winlogbeat module on every Windows stations we want to monitor.

Winlogbeat works as an agent which collects informations on Windows then send it back to Elasticsearch server.

Thanks to this module we can monitor : users logon activity, failed and blocked accounts, events etc…

Winlogbeat Architecture

SIEM | Winlogbeat schema with elasticsearch and kibana
Winlogbeat Architecture.

Installing Winlogbeat (Windows)

I'll install Winlogbeat on every machines I want to monitor in Elasticsearch.

Download Winlogbeat

  • Connect to official website and download zip package :
https://www.elastic.co/downloads/beats/winlogbeat
  • Once downloaded, unzip the file to C:\Program Files\winlogbeat :
Elasticsearch | Windows Explorer, C:\Program Files\winlogbeat
  • Edit winlogbeat.yml and replace X.X.X.X address by your own Elasticsearch server address :
# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "https://X.X.X.X:5601"
  ssl.verification_mode: none
  username: "elastic"
  password: "elastic_password;)"

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["X.X.X.X:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"
  ssl.verification_mode: none

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "elastic_password;)"

Install Winlogbeat

  • Open PowerShell command with administrator rights
Windows | Open Windows PowerShell with administrator rights
  • Go to C:\Program Files\winlogbeat directory :
PS C:\> cd "C:\Program Files\winlogbeat"
  • Check winlogbeat.yml file :
PS C:\> .\winlogbeat.exe test config -c .\winlogbeat.yml
  • Install Winlogbeat service :
PS C:\> powershell -executionpolicy UnRestricted -file .\install-service-winlogbeat.ps1
  • Set up predefined assets for parsing, indexing, and visualizing :
PS C:\> .\winlogbeat.exe setup -e
  • Start Winlogbeat service :
PS C:\> Start-Service winlogbeat

Kibana

Check indices

  • Open Firefox and go to https://KIBANA_IP_SERVER:5601/ address, then from main menu, go to Management > Stack Management :
Kibana | Main menu, Management, Stack Management
  • From Stack Management go to Data > Index Management :
Kibana | Main menu, Management, Stack Management, Data, Index Management
  • You should see your indices :
Kibana | Indices

Dashboard

There are a lot of predefined dashboard for winlogbeat we will see how to use them.

  • Open main menu and go to Kibana > Dashboard :
Kibana | Main Menu, Dashboard
  • Type Winlogbeat and choose a Dashboard :
Kibana | Winlogbeat Dashboard
  • For example with the Failed and Blocked Account :
Kibana | Winlogbeat Failed and Blocked Account Dashboard
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address