By
Securitynik on 2020-10-05 13:04:32
In this the eight and final post within this series, we install, configure and provide basic security for Winlogbeat.
The first post, we installed Elasticsearch. In the second post we installed Kibana. This was followed by the third post where we provided basic security to Elastic and Kibana. In the fourth post, we installed, configured and secured Metricbeat and the fifth post, we installed, configured and secured Auditbeat. The sixth post, we installed, configured and provided basic security to Filebeat. In the seventh post, we installed, configured and provided basic security to Packetbeat.
Similar to the previous posts, we can start from "Add Data"
From the login page, I download the WINDOWS ZIP 64-BIT file.
C:\Users\SecurityNik>certutil -f -URLCache "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.9.1-windows-x86_64.zip" winlogbeat-7.9.2.zip **** Online **** CertUtil: -URLCache command completed successfully.
C:\Users\SecurityNik>dir winlogbeat-7.9.2.zip Volume in drive C is OS Volume Serial Number is D436-4013 Directory of C:\Users\SecurityNik 2020-09-11 07:47 PM 19,156,840 winlogbeat-7.9.2.zip 1 File(s) 19,156,840 bytes 0 Dir(s) 31,707,971,584 bytes free
PS C:\Users\SecurityNik> Expand-Archive -LiteralPath .\winlogbeat-7.9.2.zip -DestinationPath .
PS C:\Users\SecurityNik> dir .\winlogbeat-7.9.2-windows-x86_64\ Directory: C:\Users\SecurityNik\winlogbeat-7.9.2-windows-x86_64 Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2020-09-11 8:14 PM kibana d----- 2020-09-11 8:14 PM module -a---- 2020-09-01 8:12 PM 41 .build_hash.txt -a---- 2020-09-01 8:10 PM 194542 fields.yml -a---- 2020-09-01 8:12 PM 897 install-service-winlogbeat.ps1 -a---- 2020-09-01 6:50 PM 13675 LICENSE.txt -a---- 2020-09-01 6:51 PM 8440372 NOTICE.txt -a---- 2020-09-01 8:12 PM 832 README.md -a---- 2020-09-01 8:12 PM 254 uninstall-service-winlogbeat.ps1 -a---- 2020-09-01 8:12 PM 62381056 winlogbeat.exe -a---- 2020-09-01 8:10 PM 54147 winlogbeat.reference.yml -a---- 2020-09-01 8:10 PM 8778 winlogbeat.yml
PS C:\Users\SecurityNik> dir .\winlogbeat-7.9.2-windows-x86_64\ Directory: C:\Users\SecurityNik\winlogbeat-7.9.2-windows-x86_64 Mode LastWriteTime Length Name ---- ------------- ------ ---- ...
-a---- 2020-08-14 3:29 PM 1200 SecurityNik-CA.pem -a---- 2020-08-14 2:17 PM 4282224 Sysmon.exe
...
C:\winlogbeat-7.9.2-windows-x86_64>sysmon -accepteula -i System Monitor v11.11 - System activity monitor Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com Sysmon installed. SysmonDrv installed. Starting SysmonDrv. SysmonDrv started. Starting Sysmon.. Sysmon started.
PS C:\Users\SecurityNik> type C:\winlogbeat-7.9.2\winlogbeat.yml | more .... #================== Kibana ========================= host: "https://10.0.0.1:5601" # ---------------------------- Elasticsearch Output ---------------------------- output.elasticsearch: # Array of hosts to connect to. hosts: ["https://10.0.0.1:9200"] # Protocol - either `http` (default) or `https`. protocol: "https" # Authentication credentials - either API key or username/password. #api_key: "id:api_key" username: "elastic" password: "WelcomeToSecurityNikElastic" # ================================= Processors ================================= processors: - add_host_metadata: when.not.contains.tags: forwarded # Added by Nik geo: name: home-ON continent_name: North America geo.country_name: Canada country_iso_code: CA region_name: Ontario region_iso_code: Ontario city_name: GTA # SSL Configuration enabled by Nik ssl.enabled: true output.elasticsearch.hosts: ["https://10.0.0.1:9200"] output.elasticsearch.ssl.certificate_authorities: ["C:\\winlogbeat-7.9.2\\SecurityNik-CA.pem"] setup.kibana.ssl.enabled: true setup.kibana.ssl.certificate_authorities: ["C:\\winlogbeat-7.9.2\\SecurityNik-CA.pem"]
C:\Users\securitynik>xcopy /S /I /E .\winlogbeat-7.9.2 c:\winlogbeat-7.9.2\ .\winlogbeat-7.9.2\.build_hash.txt .\winlogbeat-7.9.2\fields.yml .\winlogbeat-7.9.2\install-service-winlogbeat.ps1 .\winlogbeat-7.9.2\LICENSE.txt .\winlogbeat-7.9.2\NOTICE.txt .\winlogbeat-7.9.2\README.md .\winlogbeat-7.9.2\SecurityNik-CA.pem .\winlogbeat-7.9.2\Sysmon.exe .\winlogbeat-7.9.2\uninstall-service-winlogbeat.ps1 .\winlogbeat-7.9.2\winlogbeat.exe .\winlogbeat-7.9.2\winlogbeat.reference.yml .\winlogbeat-7.9.2\winlogbeat.yml .\winlogbeat-7.9.2\kibana\7\dashboard\01c54730-fee6-11e9-8405-516218e3d268.json .\winlogbeat-7.9.2\kibana\7\dashboard\71f720f0-ff18-11e9-8405-516218e3d268.json .\winlogbeat-7.9.2\kibana\7\dashboard\8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json .\winlogbeat-7.9.2\kibana\7\dashboard\bb858830-f412-11e9-8405-516218e3d268.json .\winlogbeat-7.9.2\kibana\7\dashboard\Powershell-Overview-Dashboard.json .\winlogbeat-7.9.2\kibana\7\dashboard\Winlogbeat-overview.json .\winlogbeat-7.9.2\module\powershell\config\winlogbeat-powershell.js .\winlogbeat-7.9.2\module\security\config\winlogbeat-security.js .\winlogbeat-7.9.2\module\sysmon\config\winlogbeat-sysmon.js 21 File(s) copied
C:\winlogbeat-7.9.2>winlogbeat.exe test config Config OK
C:\winlogbeat-7.9.2>winlogbeat.exe test config Config OKC:\winlogbeat-7.9.1>winlogbeat test output --e 2020-09-11T18:52:42.260-0700 INFO instance/beat.go:640 Home path: [C:\winlogbeat-7.9.2] Config path: [C:\winlogbeat-7.9.1] Data path: [C:\winlogbeat-7.9.2\data] Logs path: [C:\winlogbeat-7.9.2\logs] 2020-09-11T18:52:42.267-0700 INFO instance/beat.go:648 Beat ID: 6d3822d8-a900-4c46-b040-ae41659b2745 2020-09-11T18:52:42.284-0700 INFO [index-management] idxmgmt/std.go:184 Set output.elasticsearch.index to 'winlogbeat-7.9.2' as ILM is enabled. 2020-09-11T18:52:42.317-0700 INFO eslegclient/connection.go:99 elasticsearch url: https://10.0.0.1:9200 elasticsearch: https://10.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.12020-09-11T18:52:42.332-0700 INFO [add_cloud_metadata] add_cloud_metadata/add_cloud_metadata.go:89 add_cloud_metadata: hosting provider type not detected. 68.0.4 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK 2020-09-11T18:52:42.450-0700 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.9.0 2020-09-11T18:52:42.489-0700 INFO [license] licenser/es_callback.go:51 Elasticsearch license: Basic talk to server... OK version: 7.9.2
PS C:\winlogbeat-7.9.2> .\install-service-winlogbeat.ps1 Status Name DisplayName ------ ---- ----------- Stopped winlogbeat winlogbeat
PS C:\winlogbeat-7.9.2> Start-Service winlogbeat PS C:\winlogbeat-7.9.2> Get-Service winlogbeat Status Name DisplayName ------ ---- ----------- Running winlogbeat winlogbeat
Posts in this series:
References:
https://www.elastic.co/downloads/beats/winlogbeat
https://www.howtogeek.com/670314/how-to-zip-and-unzip-files-using-powershell/