Winlogbeat

Winlogbeat is an open source log shipper that can forward Windows event logs to Humio®. This document describes how to install and configure Winlogbeat.

Installation

Note: The instructions below are taken in part from the official Winlogbeat documentation, here.

  1. Download the latest version of Winlogbeat from the following URL: https://www.elastic.co/downloads/past-releases#winlogbeat-oss (Important Note: You must download and install the open source version of Winlogbeat. The proper download page will look like the screenshot below. The standard version of Winlogbeat is designed to only work with Elasticsearch and will not connect to Humio successfully. Please make sure that the file name of the file that you download looks like winlogbeat-oss-7.2.0-windows-x86_64.zip.)

    Downloading Winlogbeat OSS

  2. Extract the contents of the .zip file into C:\Program Files\Winlogbeat.

  3. Open a PowerShell prompt as an Administrator.

  4. Navigate to the Winlogbeat directory PS C:\Users\Administrator>cd 'c:\Program Files\Winlogbeat'

  5. Run the Winlogbeat installation script PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1 (Note: If script execution is disabled on the system you will need to enable it for the current session using the following command: powershell.exe -executionpolicy unrestricted -file .\install-service-winlogbeat.ps1.)

  6. Edit the winlogbeat.yml file found in C:\Program Files\Winlogbeat to contain the basic settings needed to send data to Humio. The following example file collects application, system, and security data and also logs Winlogbeat’s operations to disk in order to facilitate troubleshooting if needed. Update the hosts and password fields with your Humio server’s address and the ingest token for your repository.

    #======================= Winlogbeat specific options ===========================
    # https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-configuration.html
    #------------------------------------------------------------------------------
    winlogbeat.event_logs:
    - name: Application
    - name: System
    - name: Security
    
    #================================ Outputs =====================================
    # Configure what output to use when sending the data collected by the beat.
    #------------------------------------------------------------------------------
    output.elasticsearch:
    hosts: ["http://<insert url>/api/v1/ingest/elastic-bulk"]
    password: "*************************************"
    
    #================================ Logging =====================================
    # Configure Winlogbeat to log locally in case we need to troubleshoot
    #------------------------------------------------------------------------------
    logging.to_files: true
    logging.files:
    path: C:\ProgramData\Winlogbeat\Logs
    logging.level: info
    
  7. Verify that your winlogbeat.yml file is valid using the following command in PowerShell: PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e

  8. If your configuration is valid you can start Winlogbeat using the following command: PS C:\Program Files\Winlogbeat> Start-Service winlogbeat (Note: In the future you can start and stop the Winlogbeat service using the Windows Services Control Panel as shown below.)

    Start Winlogbeat Service

Configuration

The following section covers additional areas for configuration of Winlogbeat including how to add additional event logs to be sent to Humio and how to make performance adjustments. (Note: For more information about Winlogbeat configuration, please read the Winlogbeat Configuration Options Guide.

Adding Event Logs

In the example configuration above we set up Winlogbeat to send events from the Windows System, Security, and Application event logs

winlogbeat.event_logs:
  - name: Application
  - name: System
  - name: Security

A full list of available event logs can be seen in PowerShell by running: Get-WinEvent -ListLog * | Format-List -Property LogName:

LogName : Application
LogName : HardwareEvents
LogName : Internet Explorer
LogName : Key Management Service
LogName : Security
LogName : System
LogName : Windows PowerShell
LogName : ForwardedEvents
LogName : Microsoft-AppV-Client/Admin
...
LogName : Windows Networking Vpn Plugin Platform/OperationalVerbose

If you want to add PowerShell events to Humio you would add the following line to the winlogbeat.event_logs section of your winlogbeat.yml file and then restart the Winlogbeat service:

  - name: Windows PowerShell

Tuning Performance

You can tune Winlogbeat’s performance by setting the compression_level, worker, and bulk_max_size values in the output.elasticsearch section of your winlogbeat.yml based on the volume of data that you are shipping to Humio. Below is an example output.elasticsearch section

output.elasticsearch:
  hosts: ["http://<Your Humio url>/api/v1/ingest/elastic-bulk"]
  password: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  compression_level: 5
  bulk_max_size: 200
  worker: 1

Troubleshooting

The number one cause for trouble with Winlogbeat and Humio is installing the wrong version of Winlogbeat (the non-open source version). If you suspect that you have installed the wrong version, you can uninstall Winlogbeat within PowerShell using the following instructions:

  1. Open a PowerShell prompt as an Administrator.

  2. Navigate to the Winlogbeat directory: PS C:\Users\Administrator>cd 'c:\Program Files\Winlogbeat'

  3. Run the Winlogbeat uninstall script: PS C:\Program Files\Winlogbeat> .\uninstall-service-winlogbeat.ps1

  4. Make a backup of your winlogbeat.yml file and then remove the contents of the C:\Program Files\Winlogbeat> folder.

  5. Install the open source version of Winlogbeat using the instructions found above.