Winlogbeat is an open source log shipper that can forward Windows event logs to Humio.
Download the latest version of Winlogbeat.
You must download and install the open source version of Winlogbeat. The proper download page will look like the screenshot below. The standard version of Winlogbeat is designed to only work with Elasticsearch and will not connect to Humio successfully. Please make sure that the file name of the file that you download looks like winlogbeat-oss-7.2.0-windows-x86_64.zip.
Extract the contents of the
Open a PowerShell prompt as an Administrator.
Navigate to the Winlogbeat directorypowershell
PS C:\Users\Administrator>cd 'c:\Program Files\Winlogbeat'
Run the Winlogbeat installation scriptpowershell
PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
If script execution is disabled on the system you will need to enable it for the current session using the following command:powershell
powershell.exe -executionpolicy unrestricted -file .\install-service-winlogbeat.ps1
winlogbeat.ymlfile found in
C:\Program Files\Winlogbeatto contain the basic settings needed to send data to Humio.
The following example file collects application, system, and security data and also logs Winlogbeat’s operations to disk in order to facilitate troubleshooting if needed. Update the hosts and password fields with your Humio server’s address and the ingest token for your repository.ini
winlogbeat.event_logs: - name: Application - name: System - name: Security output.elasticsearch: hosts: ["http://$YOUR_HUMIO_URL/api/v1/ingest/elastic-bulk"] password: "*************************************" logging.to_files: true logging.files: path: C:\ProgramData\Winlogbeat\Logs logging.level: info
See WinLogBeat Documentation for more information on configuration.
Verify that your
winlogbeat.yml file is valid using the following command in PowerShell:
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
If your configuration is valid you can start Winlogbeat using the following command:
PS C:\Program Files\Winlogbeat> Start-Service winlogbeat. In the future you can start and stop the Winlogbeat service using the Windows Services Control Panel as shown below.
The following section covers additional areas for configuration of Winlogbeat including how to add additional event logs to be sent to Humio and how to make performance adjustments. For more information about Winlogbeat configuration, please read the Winlogbeat Configuration Options Guide.
In the example configuration above we set up Winlogbeat to send events from the Windows System, Security, and Application event logs
winlogbeat.event_logs: - name: Application - name: System - name: Security
A full list of available event logs can be seen in PowerShell by running the following — the results follow:
Get-WinEvent -ListLog * | Format-List -Property LogName LogName : Application LogName : HardwareEvents LogName : Internet Explorer LogName : Key Management Service LogName : Security LogName : System LogName : Windows PowerShell LogName : ForwardedEvents LogName : Microsoft-AppV-Client/Admin ... LogName : Windows Networking Vpn Plugin Platform/OperationalVerbose
If you want to add PowerShell events to Humio you would add the following line to the
winlogbeat.event_logs section of your
winlogbeat.yml file and then restart the Winlogbeat service:
- name: Windows PowerShell
You can tune Winlogbeat’s performance by setting the
bulk_max_size values in the
output.elasticsearch section of your winlogbeat.yml based on the volume of data that you are shipping to Humio. Below is an example
output.elasticsearch: hosts: ["http://$YOUR_HUMIO_URL/api/v1/ingest/elastic-bulk"] password: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" compression_level: 5 bulk_max_size: 200 worker: 1
The ini compression_level used by all beats is 3, but it may be set from 0 (i.e., no compression) to 9 (i.e., the maximum compression). Compressing the data decreases the amount of bandwidth required to ship your data, but uses CPU and other server resources.
The worker states the number of writers (threads) that can write events to Humio.
The bulk_max_size is the number of events or log entries to send in a single batch. The
bulk_max_size should not exceed 100 to 300 events for use with Humio. While increasing the number increases the throughput of ingest it has a negative impact on search performance of the resulting events in Humio.