Coralogix provides a seamless integration with Winlogbeat to help you send your Windows event viewer logs directly to Coralogix and parse them according to your needs.
Prerequisites
This document includes cluster dependent URL’s. Each URL has a variable part (in Italic). Please match this part with a row entry within the following table. Copy the table row entry located under the column that matches the top level domain of your Coralogix account (.com, .in etc.). Replace the variable part of the URL with this entry.
| .com | .in | |
|---|---|---|
| Elasticsearch-API | https://coralogix-esapi.coralogix.com:9443 | https://es-api.app.coralogix.in:9443 |
| SSL Certificates | https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crt | https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN .pem |
| Cluster URL | coralogix.com | app.coralogix.in |
- Have
Winlogbeatinstalled, for more information on how to install: https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html - Install our SSL certificate to your system for providing a secure connection. You can download it using the following link: https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/ca.crt
General
Private Key – A unique ID which represents your company, this Id will be sent to your mail once you register to Coralogix.
Company Id – A unique number which represents your company. You can get your company id from the settings tab in the Coralogix dashboard.
Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.
SubSystem Name – Your application probably has multiple subsystems, for example, Backend servers, Middleware, Frontend servers etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.
Configuration
Open your Winlogbeat configuration file and configure it to use Logstash. For more information about configuring Filebeat to use Logstash please refer to https://www.elastic.co/guide/en/beats/winlogbeat/current/config-winlogbeat-logstash.html
Point your Winlogbeat to output to Coralogix Logstash server:
If your account name ends with .com use:
logstashserver.coralogix.com:5015
If your account name ends with .in use:
logstashserver.app.coralogix.in:5015
I
In addition, you should add Coralogix configuration from the General section.
Here is a basic example of winlogbeat.yml:
#=========================== Winlogbeat Event Logs ============================ winlogbeat.event_logs: name: Application - name: Applications ignore_older: 72h - name: Security - name: System fields_under_root: true fields: PRIVATE_KEY: "YOUR_PRIVATE_KEY" COMPANY_ID: Your company ID APP_NAME: "APP_NAME" SUB_SYSTEM: "windows_events" #----------------------------- Logstash output -------------------------------- output.logstash: enabled: true #If your Coralogix account URL ends with .com use logstashserver.coralogix.com #If your Coralogix account URL ends with .in use logstashserver.app.coralogix.in hosts: ["appropriate-logstash-endpoint:5015"] index: logstash tls.certificate_authorities: ["<path to folder with certificates>\\ca.crt"] ssl.certificate_authorities: ["<path to folder with certificates>\\ca.crt"]
Test configuration
Before starting test your configuration:
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
Start Winlogbeat
Start your Winlogbeat service:
PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
You should now have your Windows event viewer logs streaming into Coralogix. Not seeing your logs in our LiveTail? We are always a click away. Use our in-app chat for support.
