Windows Mass Beats Deployment

Elastic Stack Beats
1

Powershell script for deploying beats modules. Can be used with group policy.
Hopefully this can be of use to anyone else starting out with the ELK stack.

$beats = "Metricbeat", "Heartbeat", "Auditbeat", "Winlogbeat", "Packetbeat"
# Path to remote location containing beats folders with all files inside. File path can be a network share such as \\server\beatsfolder
# Download your files from https://www.elastic.co/downloads/beats/ as Windows Zip files and extract the folders and name them
# Metricbeat, Heartbeat, Auditbeat, Winlogbeat, Packetbeat accordingly. Place these folder in the same directory in the remote location.
# This will copy each folder into the client's Program Files directory.
# Replace/Modify the *beat.yml file with the config you need.
$beatslocation = "<remote file location here>"
foreach ($beat in $beats){
$beatlower = $beat.ToLower()
    if ((Test-Path -Path "C:\Program Files\$beat\") -eq $false){
        # Pull all files from directory if path does not exist
        copy "$beatslocation\$beat\" -Recurse "C:\Program Files\$beat\" -Force
        & "C:\Program Files\$beat\install-service-$beatlower.ps1"
        Start-Service $beat
    }
    else
    {
        # Update Config if path exists and restart service. Packetbeat has an issue where it does not properly
        # stop/restart, so it kills the process then restarts it.
        copy "$beatslocation\$beat\$beatlower.yml"  "C:\Program Files\$beat\$beatlower.yml" -Force
        if ($beat -eq "Packetbeat"){
            if ((Get-Service | Select-Object name) -contains $beatlower) {
                Get-Service | where name -eq $beatlower | kill -Force
                Start-Service $beatlower
            }
            else {
                Start-Service $beatlower
            }
        }
        else {
            Restart-Service $beat
        }
    }
}
1 Like
2

Updated for a clean uninstall /reinstall

$beats = "Auditbeat", "Filebeat", "Heartbeat", "Metricbeat", "Packetbeat", "Winlogbeat"
$beatslocation = "<remote file location here>"
foreach ($beat in $beats) {
    $beatlower = $beat.ToLower()
#Stop service and wipe path
    if ((Test-Path -Path "C:\Program Files\$beat\") -eq $true) {
        if ((Get-Service -Name "$beat" -ErrorAction SilentlyContinue) -ne $null) {
            Write-Host "$beat Service found. Stopping service."
            #Force Packetbeat to stop
            if ($beat -eq "Packetbeat") {
                Get-Service | where name -eq $beatlower | kill -Force -erroraction SilentlyContinue
            }
            else {
                Stop-Service $beat
            }
        }
        Write-Host "Removing Program Files for $beat"
        Remove-Item "C:\Program Files\$beat" -Recurse
    }
    if ($beat -eq "Packetbeat") {
        if ((Test-Path -Path "C:\Program Files\Npcap\") -eq $false) {
            Write-Host "Npcap not installed. Running installer."
            Unblock-File -Path "C:\Program Files\$beat\install-service-$beatlower.ps1"
            & "C:\Program Files\$beat\install-service-$beatlower.ps1"
            Unblock-File -Path "$beatslocation\Npcap\npcap-1.72.exe"
            & "$beatslocation\Npcap\npcap-1.72.exe"
        Read-Host "Press enter when the installer is finished: "
        }
        else {
            Write-Host "Npcap already installed. Skipping installer."
        }
    }
#Create path
    Write-Host "$beat is not installed. Copying files."
    copy "$beatslocation\$beat\" -Recurse "C:\Program Files\$beat\" -Force
#Install service and start service
        Unblock-File -Path "C:\Program Files\$beat\install-service-$beatlower.ps1"
        & "C:\Program Files\$beat\install-service-$beatlower.ps1"
    Start-Service $beat
}
1 Like
3

@Nathan.Arnall Welcome to the community and thanks for Sharing.
I updated the Title so perhaps people searching for Windows can find easier!

4

Thanks!

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.