Skip to content

Windows Event logs with Winlogbeat

Coralogix provides a seamless integration with Winlogbeat to help you send your Windows Event Viewer logs directly to Coralogix and parse them according to your needs.

Prerequisites

  1. Select the Coralogix Logstash Hostname and SSL/TLS Certificate Authority associated with your Coralogix domain.

[table id=90 /]

  1. Please install Winlogbeat in the Windows system to monitor.

  2. In order to be able to establish  a secure connection to the Coralogix Portal from the monitored Windows System, please download the correct SSL/TLS Certificate Authority as indicated in the table above. This certificate will be used later on to configure Winlogbeat.

Private Key – Your Send-Your-Data API key is a unique ID that represents your company.

Application Name – The name of your main application, for example, a company named "SuperData" would probably insert the "SuperData" string parameter, or if they would like to debug their test environment they might insert something like "SuperData-Test".

Subsystem Name – Your application probably has multiple Subsystems; for example: Backend-Servers, Middleware, Frontend-Servers, etc. Inserting the SubSystem Name facilitate your data's examination.

Configuration

  1. Create a directory (for example C:\Certs) in the Windows station to monitor (where you had already installed Winlogbeat).

  2. Download the appropriate SSL/TLS Certificate Authority for your Coralogix Portal as per the table above, and copy it to the C:\Certs directory. For example: C:\Certs\Coralogix-EU.crt.

If you use a different drive letter or directory location, please modify the sample configuration file below (winlogbeat.yml) to match the correct location.

In this example Winlogbeat will send Application, System, and Security Windows logs to a Coralogix Portal with a .com domain extension. Please adjust this configuration file to match your specific portal (both the Coralogix logstashserver and corresponding certificate).

#=========================== Winlogbeat Event Logs ============================
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

fields_under_root: true
fields:
    PRIVATE_KEY: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    APP_NAME: "Windows_Logs"
    SUB_SYSTEM: "Windows_events"
#----------------------------- Logstash output --------------------------------
output.logstash:
    enabled: true
#If your Coralogix domain ends with .com use logstashserver.coralogix.com
#If your Coralogix domain ends with .us  use logstashserver.coralogix.us
#If your Coralogix domain ends with .in  use logstash.app.coralogix.in


    hosts: ["logstashserver.coralogix.com:5015"]
    index: logstash
    tls.certificate_authorities: ["C:\\Certs\\Coralogix-EU.crt"]
    ssl.certificate_authorities: ["C:\\Certs\\Coralogix-EU.crt"]
  1. If you followed correctly the Winlogbeat installation instructions earlier in this document, it should reside under:
C:\Program Files\Winlogbeat>

Please make a backup copy of the default winlogbeat.yml file now from the installation directory, and create a new winlogbeat.yml file using the code from step #2 above.

Please modify this new configuration file as needed to suit your environment. Also copy the winlogbeat.yml file to the installation directory (which is the same directory where "winlogbeat.exe" resides).

  1. To test the Winlogbeat configuration, please open PowerShell in Administrator mode and issue the command:
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e

To test the configuration. In the event that you received an error, please write it down, and contact Coralogix Support for assistance.

  1. By now the winlogbeat service should have been already installed in the Windows device to monitor. If you have not done so yet, please issue the following command from an Administrator's mode PowerShell session from the directory where the install-service-winlogbeat.ps1 PowerShell script resides:
PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
  1. Please make sure that you system is configured to run PowerShell scripts, if not, please issue the following command from an Administrator's mode PowerShell session:
PS C:\Program Files\Winlogbeat> set-executionpolicy remotesigned

(For more information, please refer to this link)

  1. Once the winlogbeat service is installed, you can then start it from an Administrator's mode PowerShell session, by issuing the command:
PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
  1. At this point, Windows Event Viewer logs should be streaming to Coralogix.

Not seeing your logs in the LiveTail? Please contact us. We are always a click away from you. Please use our in-app chat for support.