¶ Introduction
Winlogbeat ships Windows event logs to a Syslog server such as blësk. You can install it as a Windows service on Windows XP or later.
Winlogbeat reads from one or more event logs using Windows APIs filters the events based on user-configured criteria, then sends the event data to the configured outputs (BLËSK). Winlogbeat watches the event logs so that new event data is sent in a timely manner. The read position for each event log is persisted to disk to allow Winlogbeat to resume after restarts.
Winlogbeat can capture event data from any event logs running on your system. For example, you can capture events such as:
- application events
- hardware events
- security events
- system events
¶ Installing Winlogbeat
1 . Download the Winlogbeat zip file from the downloads page.
2 . Extract the contents into C:\Program Files.
3 . Rename the winlogbeat-<version> directory to Winlogbeat.
4 . Open a PowerShell prompt as an Administrator.
5 . Run the following commands to install the service.
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1
¶ Configuring Winlogbeat
1. Once the program is installed, we need to edit its configuration file called “winlogbeat.yml” and make some changes to make it work with blësk. To do this, you edit the Winlogbeat configuration file to enable the Logstash output by uncommenting it as shown in the image below (Comment the line related to output.elasticsearch and uncomment the line related to output.logstash).
# output.elasticsearch
# Array of hosts to connect to.
# hosts: ["localhost:9200"]
output.logstash:
hosts: ["blesk.ip.addr:5044"]The hosts option specifies the blësk server IP or FQDN and the port (5044) where blësk is configured to listen for incoming log connections. In our example, the value is "blesk.ip.addr" and we send logs on port 5044.
2. After you save your configuration file, test it with the following command.
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test output¶ Starting Winlogbeat
1. Start the Winlogbeat service with the following command:
PS C:\Program Files\Winlogbeat> Start-Service winlogbeatWinlogbeat should now be running. If you used the configuration described here, then you can view the log file at C:\ProgramData\winlogbeat\Logs\winlogbeat.
2. You can view the status of the service and control it from the Services management console in Windows. To launch the management console, run this command:
PS C:\Program Files\Winlogbeat> services.msc