This post is all about windows logging with winlogbeat and sysmon in place to collect all the important logs possible. <\/p>\n\n\n\n
Without getting into details about the installation of ELK stack I will get started with the installation of services and configuring the server to process that logs. Here is the link for installation script for ELK stack:- http:\/\/snehpatel.com\/index.php\/shell-script-for-elk-installation\/<\/a><\/p>\n\n\n\n First, let’s start with setting up the server for getting logs. To be specific adding configuration file for logstash, as we will be sending logs straight to logstash.<\/p>\n\n\n\n Note: All configuration tested on Centos. Make sure to set proper iptables settings to allow the port to get logs. <\/p>\n\n\n\n Now its time for windows client settings. Let’s start with the installation of sysmon. Sysmon is a windows tool to enable event logging. <\/p>\n\n\n\n Follow the steps to enable sysmon on your windows client.<\/p>\n\n\n\n Now let’s go through with installation on winlogbeat services<\/p>\n\n\n\nnano \/etc\/logstash\/conf.d\/windowslog.conf<\/code><\/pre>\n\n\n\ninput {\n beats {\n port => 5044\n }\n}\n\n# The filter part of this file is commented out to indicate that it\n# is optional.\n# filter {\n#\n# }\n\noutput {\n elasticsearch {\n hosts => \"localhost:9200\"\n manage_template => false\n index => \"%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}\"\n }\n}<\/code><\/pre>\n\n\n\nsudo systemctl restart logstash<\/code><\/pre>\n\n\n\nSysmon.exe -i -n -accepteula<\/code><\/pre>\n\n\n\n