docs/reference/winlogbeat/winlogbeat-installation-configuration.md
This guide describes how to get started quickly with Windows log monitoring. You’ll learn how to:
% TO DO: Use :class: screenshot
You need {{es}} for storing and searching your data, and {{kib}} for visualizing and managing it.
:::::::{applies-switch} :group: deployment
::::::{applies-item} ess: ga :sync: hosted To get started quickly, spin up an {{ech}} deployment. {{ech}} is available on AWS, GCP, and Azure. Try it out for free. ::::::
::::::{applies-item} self: ga :sync: self To install and run {{es}} and {{kib}}, see Installing the {{stack}}. ::::::
::::::{applies-item} serverless: ga :sync: serverless ::::{include} /reference/_snippets/serverless-before-you-begin.md :::: ::::::
:::::::
C:\Program Files.winlogbeat-<version> directory to Winlogbeat.PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'
PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
Security warning
Run only scripts that you trust. While scripts from the internet can be useful,
this script can potentially harm your computer. If you trust this script, use
the Unblock-File cmdlet to allow the script to run without this warning message.
Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R
Status Name DisplayName
------ ---- -----------
Stopped winlogbeat winlogbeat
:::{note}
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.
:::
:::{note} To use a local non-Administrator account to run Winlogbeat, follow these additional steps. :::
:::{important} :applies_to: stack: ga 9.0.6+!
The base folder has changed from C:\ProgramData\ to C:\Program Files\
because the latter has stricter permissions. The home path (base for
state and logs) is now C:\Program Files\Winlogbeat-Data.
The install script (install-service-winlogbeat.ps1) will check whether
C:\ProgramData\Winlogbeat exits and move it to C:\Program Files\Winlogbeat-Data.
For more details on the installation script refer to: install script.
:::
Connections to {{es}} and {{kib}} are required to set up Winlogbeat.
Set the connection information in winlogbeat.yml. To locate this configuration file, see Directory layout.
:::::::{applies-switch} :group: deployment
::::::{applies-item} ess: ga :sync: hosted Specify the cloud.id of your {{ech}} deployment, and set cloud.auth to a user who is authorized to set up Winlogbeat. For example:
cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
cloud.auth: "winlogbeat_setup:YOUR_PASSWORD" <1>
::::::{applies-item} self: ga :sync: self
Set the host and port where Winlogbeat can find the {{es}} installation, and set the username and password of a user who is authorized to set up Winlogbeat. For example:
output.elasticsearch:
hosts: ["https://myEShost:9200"]
username: "winlogbeat_internal"
password: "YOUR_PASSWORD" <1>
ssl:
enabled: true
ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" <2>
If you plan to use our pre-built {{kib}} dashboards, configure the {{kib}} endpoint. Skip this step if {{kib}} is running on the same host as {{es}}.
setup.kibana:
host: "mykibanahost:5601" <1>
username: "my_kibana_user" <2> <3>
password: "YOUR_PASSWORD"
mykibanahost:5601. If you specify a path after the port number, include the scheme and port: http://mykibanahost:5601/path.username and password settings for {{kib}} are optional. If you don’t specify credentials for {{kib}}, Winlogbeat uses the username and password specified for the {{es}} output.kibana_admin built-in role.
::::::::::::{applies-item} serverless: ga :sync: serverless ::::{include} /reference/_snippets/serverless-connect.md :::: ::::::
::::::: To learn more about required roles and privileges, see Grant users access to secured resources.
In winlogbeat.yml, configure the event logs that you want to monitor.
Under winlogbeat.event_log, specify a list of event logs to monitor. By default, Winlogbeat monitors application, security, and system logs.
winlogbeat.event_logs:
- name: Application
- name: Security
- name: System
To obtain a list of available event logs, run Get-EventLog * in PowerShell. For more information about this command, see the configuration details for event_logs.name.
(Optional) Set logging options to write Winlogbeat logs to a file:
logging.to_files: true
logging.files:
path: C:\Program Files\winlogbeat-Data\Logs
logging.level: info
By default Windows log files are stored in C:\Program Files\Winlogbeat-Data\logs.
:::{note}
In versions before 9.0.6, the default location for Windows log files was C:\ProgramData\winlogbeat\logs.
:::
After you save your configuration file, test it with the following command.
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
For more information about configuring Winlogbeat, also see:
winlogbeat.reference.yml: This reference configuration file shows all non-deprecated options. You’ll find it in the same location as winlogbeat.yml.Winlogbeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:
Make sure the user specified in winlogbeat.yml is authorized to set up Winlogbeat.
From the installation directory, run:
PS > .\winlogbeat.exe setup -e
This step loads the recommended index template for writing to {{es}} , loads the ingest pipelines to parse the events (x-pack only), and deploys the sample dashboards for visualizing the data in {{kib}}.
::::{tip} A connection to {{es}} (or {{ech}}) is required to set up the initial environment. If you’re using a different output, such as {{ls}}, see:
::::
Before starting Winlogbeat, modify the user credentials in winlogbeat.yml and specify a user who is authorized to publish events.
To start the Winlogbeat service, run:
PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Winlogbeat should now be running. If you used the logging configuration described here, you can view the log file at C:\Program Files\winlogbeat-Data\Logs\winlogbeat.
By default Windows log files are stored in C:\Program Files\Winlogbeat-Data\logs.
:::{note}
In versions before 9.0.6, the default location for Windows log files was C:\ProgramData\winlogbeat\logs.
:::
You can view the status of the service and control it from the Services management console in Windows. To launch the management console, run this command:
PS C:\Program Files\Winlogbeat> services.msc
Stop the Winlogbeat service with the following command:
PS C:\Program Files\Winlogbeat> Stop-Service winlogbeat
Winlogbeat comes with pre-built {{kib}} dashboards and UIs for visualizing log data. You loaded the dashboards earlier when you ran the setup command.
To open the dashboards:
Launch {{kib}}:
:::::::{applies-switch} :group: deployment ::::::{applies-item} ess: ga :sync: hosted
localhost with the name of the {{kib}} host.
::::::
::::::{applies-item} serverless: ga
:sync: serverless
::::{include} /reference/_snippets/serverless-view-data.md
::::
::::::
:::::::In the side navigation, click Discover. To see Winlogbeat data, make sure the predefined winlogbeat-* data view is selected.
::::{tip} If you don’t see data in {{kib}}, try changing the time filter to a larger range. By default, {{kib}} shows the last 15 minutes. ::::
In the side navigation, click Dashboard, then select the dashboard that you want to open.
The dashboards are provided as examples. We recommend that you customize them to meet your needs.
By default, the Winlogbeat service runs as the Local System account. If you want to run the Winlogbeat service as a local user account that is not an Administrator, then follow the steps below. The local user account must be granted Log on as a service in the security policy and be made part of the Builtin\Event Log Readers group to read the event log.
Open the Services Management console with this command:
PS C:\Program Files\Winlogbeat> services.msc
Right-click on service named winlogbeat and select Properties
Under Log On tab, select This account: and browse for the local account user that you want to run Winlogbeat service as.
Enter local user account’s password and click Apply.
Search and open Local Group Policy Editor in Windows search or run gpedit.msc from Powershell.
Navigate to path: Computer Settings → Security Settings → Local Policies and open User Rights Assignment under it.
Inside User Rights Assignment, add your local user account to the policy named Log on as a service. This should allow your local user account log on as a service.
Open Local Users and Group Manager by running lusrmgr.msc in Powershell.
Under Users, right-click on your local account user and open Properties.
Select Member of tab and click on Add...
Find and select the group named Event Log Readers and click Apply. This should allow your local account user to read the event log.
Now that you have your logs streaming into {{es}}, learn how to unify your logs, metrics, uptime, and application performance data.
Ingest data from other sources by installing and configuring other Elastic {{beats}}:
| Elastic {{beats}} | To capture |
|---|---|
| {{metricbeat}} | Infrastructure metrics |
| {{filebeat}} | Logs |
| {{heartbeat}} | Uptime information |
| APM | Application performance metrics |
| {{auditbeat}} | Audit events |
Use the Observability apps in {{kib}} to search across all your data:
| Elastic apps | Use to |
|---|---|
| {{metrics-app}} | Explore metrics about systems and services across your ecosystem |
| {{logs-app}} | Tail related log data in real time |
| {{uptime-app}} | Monitor availability issues across your apps and services |
| APM app | Monitor application performance |
| {{siem-app}} | Analyze security events |