Overview
Use the Blumira integration with Winlogbeat to stream Windows event logs to Blumira for automated threat detection and actionable response. Winlogbeat is a log shipper that is primarily recommended for Windows event forwarding (WEF) from the main server where your Windows event logs are being collected. It can be used as an alternative to NXLog if you experience issues when using NXLog, but Poshim/NXLog is the preferred method of shipping Windows logs to Blumira.
Important: Do not use Poshim/NXLog and Winlogbeat together on the same system.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- In the Overview section, next to Host Details, copy the IP address.
- Download the Winlogbeat client appropriate for your architecture.
Tip: Use https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.1.1-windows-x86_64.zip for modern Windows servers. - Unzip to
C:\Program Files\winlogbeat - Replace the winlogbeat.yml file with the content below. If you are not using WEF, you can delete the lines
- name: ForwardedEventsandignore_older: 24h.
#======================= Winlogbeat specific options ========================== winlogbeat.event_logs: - name: ForwardedEvents ignore_older: 24h - name: Application ignore_older: 72h - name: Security - name: System #================================ General ===================================== # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. name: <ip_of_host> #----------------------------- Logstash output -------------------------------- output.logstash: # The Logstash hosts hosts: ["<ip_of_your_sensor>:5044"] - Open the winlogbeat.yml file and complete the following steps:
- Change <ip_of_host> to the IP of the host sending the logs. This will allow us to relate them appropriately.
- Change <ip_of_your_sensor> to the internal address for your sensor.
- Ensure that Port 5044/TCP is open between the host getting this agent and the sensor.
- Install winlogbeat as a service by utilizing the following commands after opening an Administrator command prompt by right-clicking on cmd and select Run as Administrator:
cd "C:\Program Files\winlogbeat"Powershell.exe -ExecutionPolicy Unrestricted -File install-service-winlogbeat.ps1 - In the security warning prompt, press R for Run once which will install the service. You should then see:
Status Name DisplayName
——– ——– —————–
Stopped winlogbeat winlogbeat - The service should be installed as "Automatically started". Initiate the service with net start winlogbeat in the same window. You will see the message "The winlogbeat service was started successfully."
Note: During troubleshooting, Blumira Support may need the contents from C:\ProgramData\winlogbeat\logs to determine if there are any communication issues.