Updating winlogbeat.yml and adding more event logs

I'm currently running a Windows Event Forwarding / Windows Event Collector setup. All of our endpoints send logs to the WEC server where Winlogbeat is installed.

I'm currently sending Sysmon logs (WEC6-Sysmon) centrally collected on the WEC Server / Winlogbeat --> Logstash --> Elasticsearch --> Kibana.

I've attached some examples of my configurations below:

winlogbeat.yml

...

winlogbeat.event_logs:
##  - name: WEC-Authentication
    ##ignore_older: 72h
  - name: WEC6-Sysmon
  ##ignore_older: 72h

...

#----------------------------- Logstash output --------------------------------
output.logstash:
  hosts: ["<logstash-ip-address>:5044"]

...

/etc/logstash/conf.d/01-winlogbeat.conf

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

I would like to enable WEC-Authentication logs, but wanted to make sure that I'm following the proper steps for ingesting new logs.

From taking a look at the documentation and various articles online, I believe the process is:

  1. Modify winlogbeat.yml by uncommenting the WEC-Authentication line.

  2. Run a test to make sure the configuration file is formatted correctly: PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e.

  3. Restart the Winlogbeat service: PS C:\Program Files\Winlogbeat> Restart-Service winlogbeat

  4. From Kibana, goto Management --> Kibana Index Patterns --> "Refresh Field List"

  5. Success! (hopefully)

Do I have to restart Logstash or Elasticsearch to start receiving and indexing the new events?

Also, since Winlogbeat is using Logstash and doesn't have direct connectivity to Elasticsearch, I manually loaded the index template using the following documentation (no issues): https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-template.html#load-template-manually

Since the WEC6-Sysmon events have a set of fields which differs from the WEC-Authentication events, I believe that the new fields from WEC-Authentication will automatically be generated since I have dynamic field mapping turned on and my index template mapping looks like:

"dynamic_templates": [
        {
          "fields": {
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string",
            "path_match": "fields.*"
          }
        },

        . . .             

        {
          "event_data": {
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string",
            "path_match": "event_data.*"
          }
        },

        . . .

Thank you for your help!

The procedure you outlined sounds correct to me.

There’s no need to restart LS or ES. And no changes are needed to the index template.

Thanks, @andrewkroh. I'll give it a try and post back with the results. *fingers crossed*

These steps worked. Making it the last post in case anyone searches for it in the future.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.