In one of my recent posts, Installing Elasticsearch, Logstash and Kibana (ELK) on Windows Server 2012 R2, I explained how to setup and install an ELK server but it was only collecting logs from itself. That in itself isn’t very useful as the real value is when you begin collecting and indexing all of the logs from remote clients/servers/devices on the network. In this post I am going to cover installing the Beats agents, which are the data-shippers, on an additional Windows Server 2012 R2 VM and configure it to report back to Logstash on the ELK stack server setup in the previous post.

Here is a quick run down of what each Beats agent does:

• Packetbeat – Gathers network related information (requires WinPcap to be installed)
• Topbeat – Gathers infrastructure metrics like CPU, Memory, Process and other related info
• Filebeat – Gathers and forwards log files
• Winlogbeat – Gathers and enriches Windows event logs

Configuring the ELK stack server for Beats Inputs

On the ELK stack server we will need to run the following powershell command against the logstash\bin directory to configure Logstash for input from Beats:

Invoke-Expression –command “c:\ELK-Stack\logstash\bin\logstash-plugin install logstash-input-beats”

To verify the port that Logstash is listening on, check the logstash\bin\logstash.json configuration file for something similar:

Take note of the input port as it will be needed for the Beats agents configuration files.

Installing Beats on Remote Servers

To install the beats agents, download and unzip them all into a common directory on the server like C:\ELK-Beats\. Once everything is unpacked, use the following commands at a powershell prompt to run the install scripts located in the unzipped package directories:

PowerShell.exe -ExecutionPolicy UnRestricted -File C:\Beats\filebeat\.\install-service-filebeat.ps1

PowerShell.exe -ExecutionPolicy UnRestricted -File C:\Beats\topbeat\.\install-service-topbeat.ps1

PowerShell.exe -ExecutionPolicy UnRestricted -File C:\Beats\packetbeat\.\install-service-packetbeat.ps1

PowerShell.exe -ExecutionPolicy UnRestricted -File C:\Beats\winlogbeat\.\install-service-winlogbeat.ps1

Make sure to verify the following services are started in the services.msc console:
filebeat
packetbeat
topbeat
winlogbeat

I used the following script in the video to install the Beats agents (rename to .ps1):
ELK-Beats-Install-Script.txt

Configuration File Changes

Each Beat has it’s own configuration file which will need to be modified to point back to the Logstash instance on the ELK stack server. The configuration files are found at the root of each Beats directory, ie C:\Beats\filebeat\filebeat.yml, C:\Beats\packetbeat\packetbeat.yml. Find and delete the # in front of the logstash: and hosts: [“192.168.XXX.XXX:5044”] lines:

For the hosts field enter the IP address of the ELK stack server along with the port defined in the logstash.json configuration file mentioned earlier.

For filebeat it is also worth noting that it will need to be pointed to a log file, like in this case pointing to an IIS log:

Once the changes have been made, restart the Beats services to pick up the changes.

And that’s it, the host should now be reporting back to the ELK stack server.

At this point you can literally copy and paste the install directory (C:\Beats) to another machine. Since the configuration files should already be pointing to the ELK server, all you have to do is run through the Beats install scripts, start the services and you’re good to go.