fbpx
Back Arrow Back to All Integrations

WinLogBeat Forwarding

WinLogBeat Forwarding

Integrating WinLogBeat With Blumira

Blumira’s modern cloud SIEM platform integrates with WinLogBeat to detect cybersecurity threats and provide actionable response to remediate when a threat is detected.

 

When configured, the Blumira integration with WinLogBeat will stream security event logs to the Blumira service for automated threat detection and actionable response.

 

Get visibility, detect and respond to threats faster:

  • Quickly detect known and suspected threats with Blumira’s cloud-based platform
  • Reduce the noise of false-positive alerts with backend automation and fine-tuned alerting
  • Detect lateral movement across your environment with virtual honeypots
  • Get guided and actionable remediation playbooks for teams without security expertise
  • View easy-to-understand dashboards and security threat reports to help organizations meet compliance requirements

 

See how easy it is to set up Blumira with WinLogBeat forwarding:

 

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

 

Free Trial

Set Up Instructions

Configure Log Forwarding from WinLogBeat

Required Blumira Module: Logstash

Winlogbeat is a log shipper by Elastic that is primarly recommended by Blumira for WEF log collection on your main WEF server that logs are being forward to.  However, it can also be used as an alternate to NXLog if there are issues with NXLog.

  1. Download the WinLogBeat client appropriately for your architecture, likely you will want https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.1.1-windows-x86_64.zip for your modern Windows servers.
  2. Unzip to C:\Program Files\winlogbeat\
  3. Replace the winlogbeat.yml file with the below content.  If you are not using WEF you can remove the Forwarded Events section so the top event_logs configuration will be – name: Application.
    #======================= Winlogbeat specific options ==========================
    
    winlogbeat.event_logs:
     - name: ForwardedEvents
       ignore_older: 24h
     - name: Application
       ignore_older: 72h
     - name: Security
     - name: System
    
    #================================ General =====================================
    
    # The name of the shipper that publishes the network data. It can be used to group
    # all the transactions sent by a single shipper in the web interface.
    name: <ip_of_host>
    
    #----------------------------- Logstash output --------------------------------
    output.logstash:
     # The Logstash hosts
     hosts: ["<ip_of_your_sensor>:5044"]
  4. Open the winlogbeat.yml file and ensure that you have completed the following steps:
    1. Edit where it says <ip_of_host> to be the IP of the host sending the logs.  This will allow us to appropriately relate them.
    2. Additionally, edit where it says <ip_of_your_sensor> – which should be the internal address for your sensor.
  5. It should be noted at this point that Port 5044/TCP must be open between the host getting this agent and the sensor.
  6. Install winlogbeat as a service by utilizing the following commands after opening a Administrator command prompt by right clicking on cmd and selected Run as Administrator:
    cd "C:\Program Files\winlogbeat"
    Powershell.exe -ExecutionPolicy Unrestricted -File install-service-winlogbeat.ps1
  7. You’ll be prompted as a Security warning, press R for Run once which will install the service, you should then see
    Status      Name              DisplayName
    ——–      ——–               —————–
    Stopped  winlogbeat        winlogbeat
  8. The service should be installed as Automatically started, so, just initiate the service with net start winlogbeat in the same window which should result in the message The winlogbeat service was started successfully
  9. Configuration and installation of the winlogbeat service is complete.  During troubleshooting Blumira Support may need the content from C:\ProgramData\winlogbeat\logs to determine if there are any communication issues.