Coralogix provides a seamless integration with
Winlogbeat to help you send your Windows Event Viewer logs directly to Coralogix, and parse them according to your needs.
|Cluster||Logstash Endpoint||SSL/TLS Certificate Authority|
Winlogbeatin the Windows system to monitor.
Private Key – A unique ID that represents your company. The private key can be found by clicking the icon corresponding to the user logged into the Coralogix Portal on the top-right side of the page, followed by ‘Settings’/ ’ Send your logs’. It is located in the upper-left corner.
Company Id – A unique number which represents your company. You can get your company id above the Private Key from the previous step.
Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter, or if they would like to debug their test environment they might insert something like “SuperData-Test”.
Subsystem Name – Your application probably has multiple Subsystems; for example: Backend-Servers, Middleware, Frontend-Servers, etc. Inserting the SubSystem Name facilitate your data’s examination.
1. Create a directory (for example C:\Certs) in the Windows station to monitor (where you had already installed
2. Download the appropriate SSL/TLS Certificate Authority for your Coralogix Portal as per the table above, and copy it to the C:\Certs directory. For example: C:\Certs\Coralogix-EU.crt.
If you use a different drive letter or directory location, please modify the sample configuration file below (winlogbeat.yml) to match the correct location.
In this example
Winlogbeat will send Application, System, and Security Windows logs to a Coralogix Portal with a .com domain’s extension. Please adjust this configuration file to match your specific portal (both the Coralogix logstashserver and corresponding certificate).
#=========================== Winlogbeat Event Logs ============================ winlogbeat.event_logs: - name: Application ignore_older: 72h - name: System - name: Security fields_under_root: true fields: PRIVATE_KEY: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" COMPANY_ID: xxxx APP_NAME: "Windows_Logs" SUB_SYSTEM: "Windows_events" #----------------------------- Logstash output -------------------------------- output.logstash: enabled: true #If your Coralogix account URL ends with .com use logstashserver.coralogix.com #If your Coralogix account URL ends with .us use logstashserver.coralogix.us #If your Coralogix account URL ends with .in use logstash.app.coralogix.in hosts: ["logstashserver.coralogix.com:5015"] index: logstash tls.certificate_authorities: ["C:\\Certs\\Coralogix-EU.crt"] ssl.certificate_authorities: ["C:\\Certs\\Coralogix-EU.crt"]
3. If you followed correctly the Winlogbeat installation instructions earlier in this document, it should reside under:
Please make a backup copy of the default winlogbeat.yml file now from the installation directory, and create a new winlogbeat.yml file using the code from step #2 above.
Please modify this new configuration file as needed to suit your environment. Also copy the winlogbeat.yml file to the installation directory (which is the same directory where “winlogbeat.exe” resides).
4. To test the Winlogbeat configuration, please open PowerShell in Administrator mode and issue the command:
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
To test the configuration. In the event that you received an error, please write it down, and contact Coralogix Support for assistance.
5. By now the winlogbeat service should have been already installed in the Windows device to monitor. If you have not done so yet, please issue the following command from an Administrator’s mode PowerShell session from the directory where the install-service-winlogbeat.ps1 PowerShell script resides:
PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
6. Please make sure that you system is configured to run PowerShell scripts, if not, please issue the following command from an Administrator’s mode PowerShell session:
PS C:\Program Files\Winlogbeat> set-executionpolicy remotesigned
(For more information, please refer to this link: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1)
7. Once the winlogbeat service is installed, you can then start it from an Administrator’s mode PowerShell session, by issuing the command:
PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
8. At this point Windows Event Viewer logs should be streaming to Coralogix.
Not seeing your logs in the LiveTail? Please contact us. We are always a click away from you. Please use our in-app chat for support.