Setting up Winlogbeat Frowarder

Owned by Omry Koschitzky
Last updated: Jan 10, 2019
2 min read

Prerequisites:

  • The machine requires Java 1.8 running prior to setting Winlogbeat.

Important Notes: 

  • Winlogbeat can run in parallel to Filebeat on the same Windows machine and its only usage is for Windows Events Logs.
  • If you are running Windows XP, you may need to download and install PowerShell. 
  • If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. 
    For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.
  • winlogbeat service should be manageable from the services.msc.
  •  Any change in the winlogbeat.yml configuration file requires restarting the winlogbeat service 

 

Installation

To download and install Winlogbeat, enter the designated machine as a local Administrator and follow these guidelines:

  1. Download and Install Java JRE 1.8 HERE. If the machine already runs Java 1.8 you may skip this part. Otherwise download Java and upon completion restart the machine.
  2. To verify that the installed Java is 1.8 go to Control Panel> Java> About & check the version number.
  3. Download the winlogbeat (for windows 64-bit) zip file from this LINK
  4. Extract the contents of the zip file into C:\Program Files.
  5. Rename the winlogbeat-<version>-windows directory to Winlogbeat
  6. Configure Winlogbeat. To configure Winlogbeat data forwarding to logstash, modify the file C:\Program Files\Winlogbeat\winlogbeat.yml.
    1. Make a copy of the original winlogbeat.yml as winlogbeat.yml.orig.
    2. Replace the original winlogbeat.yml with the following attachmentwinlogbeat.yml  
    3. Edit the config file winlogbeat.yml and locate the  Logstash output section
      The output configuration is set as follows: hosts: ["HOST_THAT_THE_LOGSTASH_IS_INSTALLED_UPON:5044"] 
      Set the IP/HOST of the logstash and save. 
      For example: hosts: ["172.16.4.25:5044"]  
  7. Install Winlogbeat as a service. Setting the service must be done only after completing the configuration. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). 
    1. Run the commandcd 'C:\Program Files\Winlogbeat'
    2. Run the command:  .\install-service-winlogbeat.ps1

Notes:

    • If you are running Windows XP, you may need to download and install PowerShell. 
    • If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. 
      For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.
    • winlogbeat service should be manageable from the services.msc.
    • Any change in the winlogbeat.yml configuration file requires restarting the Winlogbeat service (defined by default at the path C:\Program Files\Winlogbeat).
    • To run Winlogbeat manually enter via PowerShell as Administrator to C:\Program Files\Winlogebeat and run: .\winlogbeat.exe -c .\winlogbeat.yml