Winlogbeat and Sysmon setup. Integration with ELK

This post is all about windows logging with winlogbeat and sysmon in place to collect all the important logs possible.

Without getting into details about the installation of ELK stack I will get started with the installation of services and configuring the server to process that logs. Here is the link for installation script for ELK stack:-

First, let’s start with setting up the server for getting logs. To be specific adding configuration file for logstash, as we will be sending logs straight to logstash.

Note: All configuration tested on Centos. Make sure to set proper iptables settings to allow the port to get logs.

  • Create new file in folder called /etc/logstash/conf.d/
nano /etc/logstash/conf.d/windowslog.conf
  • Note: Make sure you have the config path included in the logstash configuration.
  • Include the following configuration and save the file.
input {
  beats {
    port => 5044

# The filter part of this file is commented out to indicate that it
# is optional.
# filter {
# }

output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  • Restart the logstash services.
sudo systemctl restart logstash

Now its time for windows client settings. Let’s start with the installation of sysmon. Sysmon is a windows tool to enable event logging.

Follow the steps to enable sysmon on your windows client.

  • Download sysmon from the following link :
  • Unzip the package and move it to C:\Program Files
  • Rename the folder to “sysmon”
  • Open the command prompt with administrator privileges and go to that directory
  • Enter the following command to install sysmon
Sysmon.exe -i -n -accepteula
  • Check-in services to make sure the service is running

Now let’s go through with installation on winlogbeat services

  • Download winlogbeat from the following link:
  • Unzip it and rename the folder to “winlogbeat”, now move it to following location C:\Program Files
  • Open Powershell with administrator privileges and change directory to the winlogbeat folder
  • And run the following command :

NOTE:- execution of the script will be restricted in PowerShell by default. Below are the following commands that will help.

Get-ExecutionPolicy -list
Set-ExecutionPolicy -Scope "CurrentUser" -ExecutionPolicy "RemoteSigned"
  • Now open winlogbeat.yml in a text editor and remove all configuration.
  • Copy following configuration
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: Microsoft-Windows-Sysmon/Operational
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

  index.number_of_shards: 1

setup.dashboards.enabled: true


  host: ""

  hosts: [""]

  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  • Make sure to change the IP addresses of kibana and logstash
  • Now go to services and restart sysmon and winlogbeat service

There we go now, you will see the dashboard and index automatically added on to kibana



Leave a Comment