ELK 5 on Ubuntu: Pt. 3 – Installing and Configuring Beats Agents on Windows Clients

Posted on by



In the previous two posts I went over everything from installing Ubuntu to getting the ELK stack setup and ingesting logs from itself. Now in this final post in the series I am going to cover collecting Windows Event and IIS logs from remote Windows clients.

Here is the quick run down of exactly what is going to be covered in this post:

  • Installing and configuring Winlogbeat
  • Installing and configuring Filebeat
  • Updating Kibana with the new index patterns

Testing Connectivity to the ELK Server

Before you begin shipping logs to the ELK stack from a remote machine it is generally a good idea to test network connectivity between the two machines. To do this from a Windows machine you can use one of the following commands to test port 5044 (Beats listener).

Powershell:
PS C:\> Test-NetConnection <IPAddressofELKServer> -Port 5044

Telnet:
PS C:\> telnet <IPAddressofELKServer> 5044

Installing WinLogbeat for Windows Logs

1.) Download Winlogbeat from https://www.elastic.co/downloads/beats

2.) Extract the zip archive to where you would like to run the agent from, in this example I will use C:\ELK-Beats.

3.) Once complete, CD to the path where the packages were extracted and run the install-service-winlogbeat.ps1 Powershell script found in the directory using the following command:
PS C:\> cd c:\ELK-Beats\winlogbeat-5.2.2
PS C:\ELK-Beats\winlogbeat-5.2.2> PowerShell.exe -ExecutionPolicy Bypass -File install-service-winlogbeat.ps1

4.) Next open the winlogbeat.yml configuration file found in the Winlogbeat directory and then edit the following lines:

# Comment out
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

# Uncomment and set Logstash IP
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.2.85:5044"]

Make sure to swap out the 192.168.2.85 with the IP address of the ELK stack server.

5.) Open services.msc, restart the Winlogbeat service and verify it is now running.

Installing Filebeat for IIS Logs

1.) Download Filebeat from https://www.elastic.co/downloads/beats

2.) Extract it to where you would like to run the agent from, I am going to use the same base path I used for Winlogbeat – C:\ELK-Beats.

3.) Once complete, CD to the path where the packages were extracted and run the install-service-filebeat.ps1 Powershell script found in the directory using the following command:
PS C:\> cd c:\ELK-Beats\filebeat-5.2.2
PS C:\ELK-Beats\filebeat-5.2.2> PowerShell.exe -ExecutionPolicy Bypass -File install-service-filebeat.ps1

4.) Next open the filebeat.yml configuration file found in the Filebeat directory and then edit the following lines:

# Add the path to IIS Logs
  paths:
    - C:\inetpub\logs\LogFiles\*\*

# Comment out
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

# Uncomment and set Logstash IP
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.2.85:5044"]

5.) Open services.msc, restart the Filebeat service and verify it is now running.

Add and update the index patterns in Kibana

1.) In Kibana under Management > Index Patterns, add the pattern for winlogbeat-*.

Wrap up

And that concludes this series, you should now have everything need to get the ELK stack services up and running on Ubuntu. You should also have a decent idea of how to start collecting logs from both Windows and Linux machines.

Comments are closed.