Sending Windows Event Forwarder Server (WEF) Logs to Elasticsearch (Winlogbeat)

Now that you are sending all of your logs to your Windows Event Forwarder, it’s time to forward them to Elasticsearch so we can visualize them in Kibana and make some meaningful decisions based on the data.

Prerequisites:

  • Winlogbeat – Download here (64-bit)
  • Windows hosts – Your system in which we will be collecting the logs from.

Step 1: Download and extract winlogbeat.zip to c:\program files\  (Should look like the image below)

Step 2: Open the winlogbeat.yml and edit with notepad:

We will add the following under winlogbeat.event_logs:

(Note: This will not include logs older than 3 days).

Next, scroll down until you get to output.logstash: here you will add your logstash server information

Save the winlogbeat.yml and exit.

Step 3: Install Winlogbeat as a service

Launch Powershell (Run as Administrator) – and enter the following:

Verify that the service is running.

Done! Next tutorial will focus on Kibana so you may start visualizing the data.

Here’s the Kibana article

If you have any questions feel free to send me a message on Twitter where I’ll answer quicker.

One thought on “Sending Windows Event Forwarder Server (WEF) Logs to Elasticsearch (Winlogbeat)

  1. Pingback: Lessons Learned: Winlogbeat & Forwarded Events – no event description – David Vassallo's Blog

Leave a Reply