Learn more about Streama© – the foundational technology behind our stateful streaming data platform. Learn More

Windows Event logs with Winlogbeat

Coralogix provides a seamless integration with Winlogbeat to help you send your Windows Event Viewer logs directly to Coralogix, and parse them according to your needs.

Prerequisites

  1. This document includes cluster dependent URL’s. Please refer to the following table to select the correct Coralogix Logstash ENDPOINT and SSL/TLS Certificate Authority for your Coralogix Portal domain’s extension (.com/.us/.in):
ClusterLogstash EndpointSSL/TLS Certificate Authority
.comlogstashserver.coralogix.com:5015https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crt
.uslogstashserver.coralogix.us:5015https://www.amazontrust.com/repository/AmazonRootCA1.pem
.inlogstash.app.coralogix.in:5015https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN.pem
  1. Please install Winlogbeat in the Windows system to monitor.
  2. In order to be able to establish  a secure connection to the Coralogix Portal from the monitored Windows System, please download the correct SSL/TLS Certificate Authority as indicated in the table above. This certificate will be used later on to configure Winlogbeat.

General

Private Key – A unique ID that represents your company. The private key can be found by clicking the icon corresponding to the user logged into the Coralogix Portal on the top-right side of the page, followed by ‘Settings’/ ’ Send your logs’. It is located in the upper-left corner.

Company Id – A unique number which represents your company. You can get your company id above the Private Key from the previous step.

Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter, or if they would like to debug their test environment they might insert something like “SuperData-Test”.

Subsystem Name – Your application probably has multiple Subsystems; for example: Backend-Servers, Middleware, Frontend-Servers, etc. Inserting the SubSystem Name facilitate your data’s examination.

Configuration Steps

1. Create a directory (for example C:\Certs) in the Windows station to monitor (where you had already installed Winlogbeat).

2. Download the appropriate SSL/TLS Certificate Authority for your Coralogix Portal as per the table above, and copy it to the C:\Certs directory. For example: C:\Certs\Coralogix-EU.crt.

If you use a different drive letter or directory location, please modify the sample configuration file below (winlogbeat.yml) to match the correct location.

In this example Winlogbeat will send Application, System, and Security Windows logs to a Coralogix Portal with a .com domain’s extension. Please adjust this configuration file to match your specific portal (both the Coralogix logstashserver and corresponding certificate).

#=========================== Winlogbeat Event Logs ============================
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

fields_under_root: true
fields:
    PRIVATE_KEY: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    COMPANY_ID: xxxx
    APP_NAME: "Windows_Logs"
    SUB_SYSTEM: "Windows_events"
#----------------------------- Logstash output --------------------------------
output.logstash:
    enabled: true
#If your Coralogix account URL ends with .com use logstashserver.coralogix.com
#If your Coralogix account URL ends with .us  use logstashserver.coralogix.us
#If your Coralogix account URL ends with .in  use logstash.app.coralogix.in


    hosts: ["logstashserver.coralogix.com:5015"]
    index: logstash
    tls.certificate_authorities: ["C:\\Certs\\Coralogix-EU.crt"]
    ssl.certificate_authorities: ["C:\\Certs\\Coralogix-EU.crt"]

3. If you followed correctly the Winlogbeat installation instructions earlier in this document, it should reside under:

C:\Program Files\Winlogbeat> 

Please make a backup copy of the default winlogbeat.yml file now from the installation directory, and create a new winlogbeat.yml file using the code from step #2 above.

Please modify this new configuration file as needed to suit your environment. Also copy the winlogbeat.yml file to the installation directory (which is the same directory where “winlogbeat.exe” resides).

4. To test the Winlogbeat configuration, please open PowerShell in Administrator mode and issue the command:

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e

To test the configuration. In the event that you received an error, please write it down, and contact Coralogix Support for assistance.

5. By now the winlogbeat service should have been already installed in the Windows device to monitor. If you have not done so yet, please issue the following command from an Administrator’s mode PowerShell session from the directory where the install-service-winlogbeat.ps1 PowerShell script resides:

PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1

6. Please make sure that you system is configured to run PowerShell scripts, if not, please issue the following command from an Administrator’s mode PowerShell session:

PS C:\Program Files\Winlogbeat> set-executionpolicy remotesigned

(For more information, please refer to this link: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1)

7. Once the winlogbeat service is installed, you can then start it from an Administrator’s mode PowerShell session, by issuing the command:

PS C:\Program Files\Winlogbeat> Start-Service winlogbeat

8. At this point Windows Event Viewer logs should be streaming to Coralogix.

Not seeing your logs in the LiveTail? Please contact us. We are always a click away from you. Please use our in-app chat for support.