Winlogbeat

Install Winlogbeat to shift windows events to PacketAI

Download and Install Winlogbeat

Execute the following script in Powershell to download Winlogbeat

$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-8.4.3-windows-x86_64.zip -OutFile wlb.zip
Expand-Archive .\wlb.zip
mv .\wlb\winlogbeat-8.4.3-windows-x86_64\ .\winlogbeat\
rm -r .\wlb
rm .\wlb.zip
cd .\winlogbeat

Get PacketAI Winlogbeat Config Template

The default configuration could be generated by using Powershell to run the following command in the winlogbeat folder:

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/PacketAI/winlogbeat-installation/main/generate-config.ps1" -OutFile generate-config.ps1
.\generate-config.ps1 -clustername "YOUR_CLUSTER_NAME" -infra "YOUR_PAI_IID" -token "YOUR_PAI_TOKEN"

• you need to replace YOUR_CLUSTER_NAME with appropriate cluster name. (make sure the cluster name is alpha numeric and lowercase only)

• you need to replace YOUR_PAI_IID and YOUR_PAI_TOKEN from the Deploy PacketAI/Agent/ Logstash credentials.

Configure Log Source

Configure the log you want to monitor in the generated file: winlogbeat.yml

Start the Service

.\install-service-winlogbeat.ps1
Start-Service winlogbeat