Winlogbeat

Winlogbeat is an open source log shipper that can forward Windows event logs to Humio.

Warning

Beats 7.16 and later Log Shippers have compatibility issues with different versions of Humio, reporting an Invalid version from Elasticsearch error.

Beats 8.0 and higher require a configuration change to enable them to work. See Troubleshooting: Beats and Logstash Log Shippers 7.13 and higher No Longer work with Humio for more information.

Beats/Logstash Version Humio 1.36 and below Humio 1.37
Logstash 7.16 and up Incompatible Compatible
Filebeat 7 and below Compatible Compatible
Winlogbeat 8.0.0 Compatible but requires setup.ilm.enabled: false Compatible but requires setup.ilm.enabled: false

Winlogbeat 8.1.0

Compatible but requires setup.ilm.enabled: false and output.elasticsearch.allow_older_versions: true

Compatible but requires setup.ilm.enabled: false and output.elasticsearch.allow_older_versions: true

Installation

The instructions below are taken in part from the official Winlogbeat documentation. You might also look at their General Guide and their Getting Started Guide.

Note

You must download and install the open source version of Winlogbeat. The download page will look like the screenshot below. The standard version of Winlogbeat is designed to only work with Elasticsearch and will not connect to Humio successfully. Please make sure that the file name of the file that you download looks like winlogbeat-oss-7.2.0-windows-x86_64.zip.

  1. Extract the contents of the .zip file into C:\Program Files\Winlogbeat.

  2. Open a PowerShell prompt as an Administrator.

  3. Navigate to the Winlogbeat directory

    humio
    PS C:\Users\Administrator>cd 'c:\Program Files\Winlogbeat'
  4. Run the Winlogbeat installation script

    humio
    PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1

    If script execution is disabled on the system you will need to enable it for the current session using the following command:

    humio
    powershell.exe -executionpolicy unrestricted -file .\install-service-winlogbeat.ps1
Configuration

Start Service

Figure 238. Start Service


The following section covers additional areas for configuration of Winlogbeat including how to add additional event logs to be sent to Humio and how to make performance adjustments. For more information about Winlogbeat configuration, please read the Winlogbeat Configuration Options Guide.

Editing the Configuration

You must make the following changes to the configuration, see Configuration Example.

  1. Open winlogbeat.yml file which you can find in C:\Program Files\Winlogbeat.

  2. Specify the Windows logs you want to track in winlogbeat.event_log.

  3. Insert the URL of your Humio installation followed by /api/v1/ingest/elastic-bulk in hosts.

  4. Generate and insert the Ingest Tokens from the repository as the password.

  5. Set logging.to_files to true.

  6. Under logging.files set path to the path in which to write the logs and logging.level to info.

  7. Verify that your winlogbeat.yml file is valid using the following command in PowerShell:

humio
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
  1. If your configuration is valid you can start Winlogbeat using the following command:

humio
PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Configuration Example

The following example file collects application, system, and security data and also logs Winlogbeat's operations to disk in order to facilitate troubleshooting if needed. Update the hosts and password fields with your Humio server's address and the ingest token for your repository.

yaml
winlogbeat.event_logs:
  - name: Application
  - name: System
  - name: Security

output.elasticsearch:
  hosts: ["http://$YOUR_HUMIO_URL/api/v1/ingest/elastic-bulk"]
  password: "*************************************"

logging.to_files: true

logging.files:
  path: C:\ProgramData\Winlogbeat\Logs
  logging.level: info
Configuration Objects

The section only aims to document the set of keys and value required to ship data to Humio and therefore not all of the configuration options which are available in Winlogbeat are listed.

See WinLogBeat Documentation for more information on configuration.

winlogbeat.event_log

The source block configures the sources of data that will be sent to Humio.

  • name

    The name of the windows log to ship, for example System. You can retrieve the full list of logs by running:

humio
Get-WinEvent -ListLog * | Format-List -Property LogName
output.elasticsearch

  • hosts

    The URL of your Humio installation followed by /api/v1/ingest/elastic-bulk.

  • password

    The ingest token for your Humio Repository, see Ingest Tokens for more information on generating tokens.

logging.to_files

Set the value of the field to true to write all logs to files. The log files are automatically rotated when the log file size limit is reached. Note that the file is only created if there are logs to write.

logging.files

  • path

The path in which the log files are created.

logging.levels

The level of logging required, which must be set to info.

Tuning Performance

You can tune Winlogbeat's performance by setting the compression_level, worker, and :field:`bulk_max_size values in the output.elasticsearch section of your winlogbeat.yml based on the volume of data that you are shipping to Humio. Below is an example output.elasticsearch section

yaml
output.elasticsearch:
  hosts: ["http://$YOUR_HUMIO_URL/api/v1/ingest/elastic-bulk"]
  password: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  compression_level: 5
  bulk_max_size: 200
  worker: 1

The ini compression_level used by all beats is 3, but it may be set from 0 (i.e., no compression) to 9 (i.e., the maximum compression). Compressing the data decreases the amount of bandwidth required to ship your data, but uses CPU and other server resources.

The worker states the number of writers (threads) that can write events to Humio.

The bulk_max_size is the number of events or log entries to send in a single batch. The bulk_max_size should not exceed 100 to 300 events for use with Humio. While increasing the number increases the throughput of ingest it has a negative impact on search performance of the resulting events in Humio.