Now that I have Elasticsearch and Kibana up and running, I need to start feeding in those sweet, sweet logs. Normally, one would setup LogStash to import these logs into Elasticsearch but those clever cats at Elastic have created Beats to help. Beats is the platform for single-purpose data shippers. They install as lightweight agents and send data from hundreds or thousands of machines to Logstash or Elasticsearch. In this post I am going to cover installing winlogbeat and packetbeat on my Windows 10 VM and configuring them to talk to my Elasticsearch running on my MacBook.
0. Virtual Machine Setup
Although not extremely important to the process below, here is the high level notes about the VM:
- OS Name: Microsoft Windows 10
- OS Version: 10.0.14393 N/A Build 14393
- System Model: VirtualBox
- System Type: x64-based PC
- Total Physical Memory: 2,048 MB
- Installed Software:
- Sysmon v6.0
- Chrome Version 57.0.2987.98 (64-bit)
- Notepad++ 7.3.3
- WireShark Version 2.2.5 (v2.2.5-0-g440fd4d)
- Greenshot 22.214.171.124
1. Download WinLogBeat
I grabbed my copy (5.2.2) from https://www.elastic.co/downloads/beats/winlogbeat
2. Unzip and configure WinLogBeat
Should look like this:
We need to edit the winlogbeat.yml before we install the service.
2.1 Edit the Logs WinLogBeat is listening to
I changed the default config from this:
to include sysmon and a few of the other bigger logs from this Windows 10 machine:
2.2 Configure network settings for Elasticsearch
On my MacBook I have Elasticsearch configured to run on 0.0.0.0:9200 which means port 9200 on all network interfaces including the network interface VirtualBox setup for the default gateway for the VM.
A quick check of the VM’s network info tells me the default gateway is 10.0.2.2. So I changed:
I had to change this file again to include authentication creds when I installed the XPACK plugin but I will get there in another post. Baby steps people. Baby steps.
3. Install WinLogBeat
Included in the WinLogBeat files is a handy dandy install-service-winlogbeat.ps1 that does the heavy lifting for installing the WinLogBeat service. Simply Run that file and then start the service. Now you should be sending logs from WinLogBeat to Elasticsearch. To confirm, check out the terminal window running Elasticsearch and you should see something like this:
4. Configure Kibana to index WinLogBeat logs
Now that logs have a freely flowing into Elastic, it is time to update Kibana with an index. Under management, go to Index Patterns. In the field, put “winlogbeat*” to start indexing these logs. Then click on discover and BOO YAH we have logs.
5. Download, Configure, and Install PacketBeat The Same Way
Download PacketBeat from here. PacketBeat on Windows does require a prior installation of WinPcap. I installed WireShark and opted to install WinPcap at the same time. You do what you feel is best. After you extract the packetbeat package on the Windows guest, configure the packbeat.yml to point to the Elasticsearch on the MacBook. Change:
I also had to change this file again to include authentication creds when I installed the X-Pack plugin but I will get there in the aforementioned post.