Install Winlogbeat

The purpose of winlogbeat is to ship the logs from Windows to the Elastic Stack. Let get right into installing it.

Security Onion

Log into SecurityOnion, and go to Downloads. For me, I’m logging into my security onion within my Windows (Victim) machine. Click on Winlogbeat and you should have the downloads.
This is what the installer look like:

After winlogbeat is done installing, make sure you check “Open winlogbeat data directory in Windows Explorer” after that click Finish.

A file directory of Winlogbeat should appear. Now, copy winlogbeat.example and rename the Copy Version to winlogbeat.yml.

Now, open Notepad as an Administrator. Then go to the location of winlogbeat.yml and open the file. \

Now, we’re going copy the name. "Microsoft-Windows-PowerShell/Operational" change that to Microsoft-Windows-System/Operational on the new copy. You should have the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: ForwardedEvents
    tags: [forwarded]

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Microsoft-Windows-Windows-Defender/Operational

  - name: Microsoft-Windows-Windows Firewall with Advanced Security/Firewall

Go to Elasticsearch output, and comment each line out with # Then go to Logstash output, and uncomment hosts: [“localhost:5044”] and instead of localhost we can put in the IP address of security onion.
Then we can do net stop winlogbeat and then net start winlogbeat

Now we’re finish.