Download Winlogbeat – Download here (64-bit)
Step 1: Download and extract winlogbeat.zip to c:\program files\ (Should look like the image below)
Step 2: Open the winlogbeat.yml and edit with notepad:
We will add the following under winlogbeat.event_logs:
winlogbeat.event_logs:
– name: Security
event_id: 1102,4608,4609,4624-4648, 4700-4800,4950
ignore_older: 72h
– name: Application
event_id: 1000,1002,1001
ignore_older: 72h
– name: “Microsoft-Windows-TaskScheduler/Operational”
event_id: 141,106,142,140,129
ignore_older: 72h
– name: System
event_id: 104,102,1102,4719,6005,7022,7023,7024,7025,7026,7031,7032,7034,7045,4697,7022,7023,104,6
ignore_older: 72h
– name: “Microsoft-Windows-Application-Experience/Program-Inventory”
event_id: 903,904
ignore_older: 72h
– name: “Microsoft-Windows-TerminalServices-RDPClient/Operational,Microsoft-Windows-TerminalServices-LocalSessionManager/Admin,Microsoft-Windows-TerminalServices-LocalSessionManager/Operational”
event_id: 21,23,24,25,1102
ignore_older: 72h
– name: “Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity,Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose,Microsoft-Windows-Windows Firewall With Advanced Security/Firewall,Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose,Microsoft-Windows-Windows Firewall With Advanced Security/Network Isolation Operational”
event_id: 2004,2005,2006,2033,2009
ignore_older: 72h
– name: “Microsoft-Windows-WindowsUpdateClient/Operational”
event_id: 20,24,25,31,34,35
ignore_older: 72h
ignore_older will only log the past 72 hours when winlogbeat starts as opposed to everything in the event log history.
Next, scroll down until you get to output.logstash: here you will add the MOH logstash server information
output.logstash:
# The Logstash hosts
hosts: [“logstashserver_dns_name:5044”]
index: winlogbeat
Save the winlogbeat.yml and exit.
Step 3: Install Winlogbeat as a service
Launch Powershell (Run as Administrator) – and enter the following:
cd “C:\Program Files\Winlogbeat”
powershell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1
Start-Service winlogbeat
Verify that the service is running.
