Updating winlogbeat.yml and adding more event logs


#1

I'm currently running a Windows Event Forwarding / Windows Event Collector setup. All of our endpoints send logs to the WEC server where Winlogbeat is installed.

I'm currently sending Sysmon logs (WEC6-Sysmon) centrally collected on the WEC Server / Winlogbeat --> Logstash --> Elasticsearch --> Kibana.

I've attached some examples of my configurations below:

winlogbeat.yml

...

winlogbeat.event_logs:
##  - name: WEC-Authentication
    ##ignore_older: 72h
  - name: WEC6-Sysmon
  ##ignore_older: 72h

...

#----------------------------- Logstash output --------------------------------
output.logstash:
  hosts: ["<logstash-ip-address>:5044"]

...

/etc/logstash/conf.d/01-winlogbeat.conf

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

I would like to enable WEC-Authentication logs, but wanted to make sure that I'm following the proper steps for ingesting new logs.

From taking a look at the documentation and various articles online, I believe the process is:

  1. Modify winlogbeat.yml by uncommenting the WEC-Authentication line.

  2. Run a test to make sure the configuration file is formatted correctly: PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e.

  3. Restart the Winlogbeat service: PS C:\Program Files\Winlogbeat> Restart-Service winlogbeat

  4. From Kibana, goto Management --> Kibana Index Patterns --> "Refresh Field List"

  5. Success! (hopefully)

Do I have to restart Logstash or Elasticsearch to start receiving and indexing the new events?

Also, since Winlogbeat is using Logstash and doesn't have direct connectivity to Elasticsearch, I manually loaded the index template using the following documentation (no issues): https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-template.html#load-template-manually

Since the WEC6-Sysmon events have a set of fields which differs from the WEC-Authentication events, I believe that the new fields from WEC-Authentication will automatically be generated since I have dynamic field mapping turned on and my index template mapping looks like:

"dynamic_templates": [
        {
          "fields": {
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string",
            "path_match": "fields.*"
          }
        },

        . . .             

        {
          "event_data": {
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string",
            "path_match": "event_data.*"
          }
        },

        . . .

Thank you for your help!


(Andrew Kroh) #2

The procedure you outlined sounds correct to me.

There’s no need to restart LS or ES. And no changes are needed to the index template.


#3

Thanks, @andrewkroh. I'll give it a try and post back with the results. *fingers crossed*


#4

These steps worked. Making it the last post in case anyone searches for it in the future.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.