Windows Event logs with Winlogbeat
Coralogix provides a seamless integration with Winlogbeat to help you send your Windows Event Viewer logs directly to Coralogix and parse them according to your needs.
Prerequisites
- Select the Coralogix Logstash Hostname and SSL/TLS Certificate Authority associated with your Coralogix domain.
[table id=90 /]
Please install Winlogbeat in the Windows system to monitor.
In order to be able to establish a secure connection to the Coralogix Portal from the monitored Windows System, please download the correct SSL/TLS Certificate Authority as indicated in the table above. This certificate will be used later on to configure Winlogbeat.
Private Key – Your Send-Your-Data API key is a unique ID that represents your company.
Application Name – The name of your main application, for example, a company named "SuperData" would probably insert the "SuperData" string parameter, or if they would like to debug their test environment they might insert something like "SuperData-Test".
Subsystem Name – Your application probably has multiple Subsystems; for example: Backend-Servers, Middleware, Frontend-Servers, etc. Inserting the SubSystem Name facilitate your data's examination.
Configuration
Create a directory (for example C:\Certs) in the Windows station to monitor (where you had already installed
Winlogbeat
).Download the appropriate SSL/TLS Certificate Authority for your Coralogix Portal as per the table above, and copy it to the C:\Certs directory. For example: C:\Certs\Coralogix-EU.crt.
If you use a different drive letter or directory location, please modify the sample configuration file below (winlogbeat.yml) to match the correct location.
In this example Winlogbeat
will send Application, System, and Security Windows logs to a Coralogix Portal with a .com domain extension. Please adjust this configuration file to match your specific portal (both the Coralogix logstashserver and corresponding certificate).
#=========================== Winlogbeat Event Logs ============================
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
fields_under_root: true
fields:
PRIVATE_KEY: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
APP_NAME: "Windows_Logs"
SUB_SYSTEM: "Windows_events"
#----------------------------- Logstash output --------------------------------
output.logstash:
enabled: true
#If your Coralogix domain ends with .com use logstashserver.coralogix.com
#If your Coralogix domain ends with .us use logstashserver.coralogix.us
#If your Coralogix domain ends with .in use logstash.app.coralogix.in
hosts: ["logstashserver.coralogix.com:5015"]
index: logstash
tls.certificate_authorities: ["C:\\Certs\\Coralogix-EU.crt"]
ssl.certificate_authorities: ["C:\\Certs\\Coralogix-EU.crt"]
- If you followed correctly the Winlogbeat installation instructions earlier in this document, it should reside under:
Please make a backup copy of the default winlogbeat.yml file now from the installation directory, and create a new winlogbeat.yml file using the code from step #2 above.
Please modify this new configuration file as needed to suit your environment. Also copy the winlogbeat.yml file to the installation directory (which is the same directory where "winlogbeat.exe" resides).
- To test the Winlogbeat configuration, please open PowerShell in Administrator mode and issue the command:
To test the configuration. In the event that you received an error, please write it down, and contact Coralogix Support for assistance.
- By now the winlogbeat service should have been already installed in the Windows device to monitor. If you have not done so yet, please issue the following command from an Administrator's mode PowerShell session from the directory where the install-service-winlogbeat.ps1 PowerShell script resides:
- Please make sure that you system is configured to run PowerShell scripts, if not, please issue the following command from an Administrator's mode PowerShell session:
(For more information, please refer to this link)
- Once the winlogbeat service is installed, you can then start it from an Administrator's mode PowerShell session, by issuing the command:
- At this point, Windows Event Viewer logs should be streaming to Coralogix.
Not seeing your logs in the LiveTail? Please contact us. We are always a click away from you. Please use our in-app chat for support.