Blumira’s modern cloud SIEM platform integrates with WinLogBeat to detect cybersecurity threats and provide actionable response to remediate when a threat is detected.
When configured, the Blumira integration with WinLogBeat will stream security event logs to the Blumira service for automated threat detection and actionable response.
Configure Log Forwarding from WinLogBeat
Required Blumira Module: Logstash
Winlogbeat is a log shipper by Elastic that is primarly recommended by Blumira for WEF log collection on your main WEF server that logs are being forward to. However, it can also be used as an alternate to NXLog if there are issues with NXLog.
- Download the WinLogBeat client appropriately for your architecture, likely you will want https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.1.1-windows-x86_64.zip for your modern Windows servers.
- Unzip to C:\Program Files\winlogbeat\
- Replace the winlogbeat.yml file with the below content. If you are not using WEF you can remove the Forwarded Events section so the top event_logs configuration will be – name: Application.
#======================= Winlogbeat specific options ========================== winlogbeat.event_logs: - name: ForwardedEvents ignore_older: 24h - name: Application ignore_older: 72h - name: Security - name: System #================================ General ===================================== # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. name: <ip_of_host> #----------------------------- Logstash output -------------------------------- output.logstash: # The Logstash hosts hosts: ["<ip_of_your_sensor>:5044"]
- Open the winlogbeat.yml file and ensure that you have completed the following steps:
- Edit where it says <ip_of_host> to be the IP of the host sending the logs. This will allow us to appropriately relate them.
- Additionally, edit where it says <ip_of_your_sensor> – which should be the internal address for your sensor.
- It should be noted at this point that Port 5044/TCP must be open between the host getting this agent and the sensor.
- Install winlogbeat as a service by utilizing the following commands after opening a Administrator command prompt by right clicking on cmd and selected Run as Administrator:
cd "C:\Program Files\winlogbeat"
Powershell.exe -ExecutionPolicy Unrestricted -File install-service-winlogbeat.ps1
- You’ll be prompted as a Security warning, press R for Run once which will install the service, you should then see
Status Name DisplayName
——– ——– —————–
Stopped winlogbeat winlogbeat
- The service should be installed as Automatically started, so, just initiate the service with net start winlogbeat in the same window which should result in the message The winlogbeat service was started successfully
- Configuration and installation of the winlogbeat service is complete. During troubleshooting Blumira Support may need the content from C:\ProgramData\winlogbeat\logs to determine if there are any communication issues.