Elastic SIEM Part III - Winlogbeat to monitor Windows Servers

Beats logo

We have previously seen how to install Elastic SIEM Part I and how to monitor Cisco Switches (Part II) I will describe here how we can monitor Windows Machines.

To do so we need to install Winlogbeat module on every Windows stations we want to monitor.

Winlogbeat works as an agent which collects informations on Windows then send it back to Elasticsearch server.

Winlogbeat Architecture

SIEM | Winlogbeat schema with elasticsearch and kibana
Winlogbeat Architecture.

Installing Winlogbeat (Windows)

I'll install Winlogbeat on every machines we want to monitor in Elasticsearch.

Download Winlogbeat

  • Connect to official website and download zip package :
https://www.elastic.co/downloads/beats/winlogbeat
  • Once downloaded, unzip the file to C:\Program Files\winlogbeat :
Elasticsearch | Windows Explorer, C:\Program Files\winlogbeat
  • Edit winlogbeat.yml and replace 192.168.1.200 address by your own Elasticsearch server address :
# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "192.168.1.200:5601"

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.1.200:9200"]

Install Winlogbeat

  • Open PowerShell command with administrator rights
Windows | Open Windows PowerShell with administrator rights
  • Go to C:\Program Files\winlogbeat directory :
PS C:\> cd "C:\Program Files\winlogbeat"
  • Check winlogbeat.yml file :
PS C:\> .\winlogbeat.exe test config -c .\winlogbeat.yml
  • Install Winlogbeat service :
PS C:\> powershell -executionpolicy UnRestricted -file .\install-service-winlogbeat.ps1
  • Set up predefined assets for parsing, indexing, and visualizing :
PS C:\> .\winlogbeat.exe setup -e
  • Start Winlogbeat service :
PS C:\> Start-Service winlogbeat

Kibana

Check indices

Now that we have our data inside indexes it's time to create a dashboard in kibana to have a graphical view of our swicthes logs.

  • Open Firefox and go to http://KIBANA_IP_SERVER:5601/ address
  • Open main menu and go to Management > Stack Management :
Kibana | Main menu, Management, Stack Management
  • From Stack Management go to Data > Index Management :
Kibana | Main menu, Management, Stack Management, Data, Index Management
  • You should see your indices :
Kibana | Indices

Dashboard

There are a lot of predefined dashboard for winlogbeat we will see how to use them.

  • Open main menu and go to Kibana > Dashboard :
Kibana | Main Menu, Dashboard
  • Type Winlogbeat and choose a Dashboard :
Kibana | Winlogbeat Dashboard
  • For example with the Failed and Blocked Account :
Kibana | Winlogbeat Failed and Blocked Account Dashboard
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :