WinLogBeat Forwarding

Integrating WinLogBeat With Blumira

Click here for the most updated version of this documentation.

Blumira’s modern cloud SIEM platform integrates with WinLogBeat to detect cybersecurity threats and provide actionable response to remediate when a threat is detected.

WinLogBeat is a log shipper by Elastic that is primarly recommended by Blumira for WEF log collection on your main WEF server that logs are being forward to. However, it can also be used as an alternative to NXLog if there are issues with NXLog.

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

Set Up Instructions

Overview

Use the Blumira integration with Winlogbeat to stream Windows event logs to Blumira for automated threat detection and actionable response. Winlogbeat is a log shipper that is primarily recommended for Windows event forwarding (WEF) from the main server where your Windows event logs are being collected. It can be used as an alternative to NXLog if you experience issues when using NXLog, but Poshim/NXLog is the preferred method of shipping Windows logs to Blumira.

Important: Do not use Poshim/NXLog and Winlogbeat together on the same system.

Configure Log Forwarding from WinLogBeat

Required Blumira Module: Logstash

Download the Winlogbeat client appropriate for your architecture.
Tip: Use https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.1.1-windows-x86_64.zip for modern Windows servers.
Unzip to C:\Program Files\winlogbeat

Replace the winlogbeat.yml file with the content below. If you are not using WEF, you can delete the lines “- name: ForwardedEvents ignore_older: 24h”.

#======================= Winlogbeat specific options ==========================

winlogbeat.event_logs:
 - name: ForwardedEvents
   ignore_older: 24h
 - name: Application
   ignore_older: 72h
 - name: Security
 - name: System

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
name: <ip_of_host>

#----------------------------- Logstash output --------------------------------
output.logstash:
 # The Logstash hosts
 hosts: ["<ip_of_your_sensor>:5044"]

Open the winlogbeat.yml file and complete the following steps:
1. Change <ip_of_host> to the IP of the host sending the logs. This will allow us to relate them appropriately.
2. Change <ip_of_your_sensor> to the internal address for your sensor.
Ensure that Port 5044/TCP is open between the host getting this agent and the sensor.
Install winlogbeat as a service by utilizing the following commands after opening an Administrator command prompt by right-clicking on cmd and select Run as Administrator:
cd "C:\Program Files\winlogbeat"
Powershell.exe -ExecutionPolicy Unrestricted -File install-service-winlogbeat.ps1

In the security warning prompt, press R for Run once which will install the service. You should then see:

Status      Name              DisplayName
——–      ——–               —————–
Stopped  winlogbeat        winlogbeat

The service should be installed as “Automatically started”. Initiate the service with net start winlogbeat in the same window. You will see the message “The winlogbeat service was started successfully.”

Note: During troubleshooting, Blumira Support may need the contents from C:\ProgramData\winlogbeat\logs to determine if there are any communication issues.