How to Integrate windows machine with Elastic Stack using winlogbeat client?

In this blog, we learn about the elastic stack and how to integrate windows machine in Elastic Stack using beats client. To understand this let’s discuss in brief about the definition of elastic stack and its main componentes.

What is Elastic stack and what are its components?

Elastic stack also known as ELK Stack, is a collection of open-source software tools that is used for collecting, storing, searching, analyzing and visualizing data in real-time. Elastic stack has four main components: elastic search, kibana, beats, and logstash. Elastic stack can be used for a wide range of use cases, including log analystics, monitoring, security analytics, and more.

Elastic Search is a search engine and analytics engine that indexes, searches, and analyzes large volumes of data in real-time. For cloud-based managed service we can use elastic cloud that provides cloud-based management service for elastic search, kibana, and other components of the elastic stack. Elastic cloud helps to create, scale, and monitor and can further integrate with other services like AWS, GOOGLE CLOUD etc.

Beats Client is a software agent that can be installed on server or endpoints to collect and ship different types of data to Elasticsearch or Logstash for processing and analysis. Beats has a different client, and each has a different design to collect and ship specific types of data.

In this blog, we integrate windows machine with elastic using winlogbeat client and to analyse the log we create a dashboard using Kibana. So, let’s understand what is winlogbeat client and Kibana, and what are the steps to be followed during integration.

What is winlogbeat client?

In simple teams, winlogbeat client collects windows event logs from windows servers or endpoints and ships them to Elasticsearch or Logstash for analysis and alerting.

What it is Kibana?

Kibana is a part of Elastic Stack, and it is a powerful data visualization tool. It provides a user-friendly interface to interact with the data stored in Elasticsearch and enables users to create a variety of visualizations, dashboards, and reports.

Integration of winlogbeat client with windows machine in elastic:

Use the following steps to integrate windows machine with elastic using winlogbeat client:

Step 1 - Install and configure the Beats client:

Download the appropriate version of Beats client for Windows 11 system from the Elastic website. Once downloaded, extract the files and configure the Beats client by editing the beats.yml configuration file to specify the Elasticsearch server URL, username, and password.

Step 2 - Enable the required Beats modules:

Beats client comes with several modules that allow to collect different types of data from Windows 11. In this blog we are using the Winlogbeat. This module allows to collect Windows event logs, while the Metric beat module allows to collect system metrics.

Step 3 - Start the Beats client:

After installation and configuration of the Beats client, and enabling the required modules, start the client by running the appropriate command from the command prompt or PowerShell.

Step 4 - Verify data that is being collected:

After starting the Beats client, verify that data is being collected from Windows 11 by checking the Elasticsearch index that we specified in the beats.yml configuration file. We can do this by using the Kibana web interface or by using the Elasticsearch API.

How to create dashboard to summarize the machines logs:

Follow the steps to create a dashboard in Kibana

After installation and configuration of winlogbeat client begin to set-up Kibana and create dashboard.

Step 1 - Create an index pattern:

In Kibana, navigate to the “Management” section and select “Index Patterns.” Create an index pattern that matches the index name which is configured in Winlogbeat for sending logs to Elasticsearch.

Step 2- Create Visualizations:

In Kibana, navigate to the “Visualize” section and create visualizations to summarize the logs and choose from various visualization types such as bar chart, line chart, pie chart, table, etc. Create visualization according to your need.

Step 3 - Create a Dashboard:

In Kibana, navigate to the “Dashboard” section and create a new dashboard. Add the visualizations which we created to the dashboard and arrange them in a way that best suits your needs.

Save the dashboard and make the changes according to your need and we can revisit the dashboard anytime. Using these steps, we can create a dashboard in Kibana to collect Windows machine logs in Elastic using Winlogbeat and use the Kibana dashboard to gain insights into your Windows machine logs and troubleshoot any issues that may arise.

Conclusion:

In conclusion, integrating Windows machines with Elastic using the Winlogbeat Client is a powerful way to gain insight into the system’s performance and security. With Winlogbeat, we can easily collect and centralize our Windows event logs, and analyse them in real-time with the Elastic Stack.