Elastic Lab (part 6) - Winlogbeat

This project left off with getting Logstash running. This has been an exercise in refreshing some Linux, VMWare, and other IT skills in pursuit of building a Lab environment which can be used to attack some Cybersecurity topics using the ELK stack.

But what good is a SIEM without having data to analyze? So below is how to install Winlogbeat on our Windows 10/11 host machine to send alerts to our ELK stack.

One part of my motivation for slapping this on LinkedIn is that I really don't like looking for information on the internet only to find my searches all lead to videos. I prefer to read at my own speed rather than listen or watch at a pre-determined speed (not to boast 'too much' I'm very quick at scanning/ skimming). AND, if I need to backup and review something, it's easy reading while it's not as easy for me to remember exactly when in the video the piece I need is located.

That being said, we're going to follow THIS guide for installing Winlogbeat. AND there is a handy video someone made going through the steps. The first 3 minutes and 30 seconds are just turning back on his containerized ELK stack. So you can skip to THIS SPOT.

And/Or you could startup some working music: an AMAZING musical act is a small ensemble called "Vulfpeck". Their 2020 Madison Square Garden Concert is amazing! It starts off a bit slow but WOW it is amazing later in! That video has commercials though, so if you want a completely uninterrupted experience while you're hacking away at computer stuffs, check out this 2024 Vulfpeck concert.

BTW several people have mentioned "containerization" for functions like this lab. Containers make it easy to scale resources up and down, they're not hardware dependent (if you wanted to move this lab off your computer to a different one it would take plenty of work!) and other benefits. VMWare is an older way to run several virtual machines on one piece of hardware.

One of the quirks of using VMWare is that you need to make some of the network configurations manually. Make sure you can ping from your Host to your Guest and vice versa.

ON TO THE REAL SHOW!

These steps are executed on the Windows host machine which is running VMWare- so the host sends data to the Elastic Stack.

1- Let's execute the multiple steps in "Step 1: Install Winlogbeat" at the Quick start guide. https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html

2- In "Step 2" if you click the "Self-Managed" tab, it shows the configuration needed to securely connect to a production ELK stack. You "can" skip it, and that's what our friend in the video above does.

3- Before "Step 3" right-click the file "C:\Program Files\Winlogbeat\winlogbeat.yml" and go to "Properties" then the "Security" tab and click the user(s) who needs permission to modify the file, then "Edit". Click "Full Control" then "okay" and "okay".

4- Now, open up the winlogbeat.yml file (notepad is fine).

Scroll down to "Dashboards" and take off the "#" and change "setup.dashboards.enabled: true"

Under Kibana change the line "host: "[IP address]:5601"" (leave one set of double quotes around the IP address:port and take off the "#").

Scroll down to "Elasticseach Output" and take off the "#" from hosts. Leave the brackets and double-quotes around the information but put in the ELK stack IP address again.

Now go down to "X-pack Monitoring" and make the change: "monitoring.enabled: true" (no "#"!)

Save changes to the file!

5- Start the service from the PowerShell or Command Prompt (running as administrator!): "sc start winlogbeat" OR you can click the windows search bar, type "services", and run it as administrator. Scroll down to "winlogbeat" and click on it. You'll see options to the left along with a current status.

6- Give it a few minutes and you should start to see data populating in your Kibana! Go to "Discover" and always take note of the time frame on the top right. I got this working yesterday (February 12), and you can see the Windows activity as I left my computer on all night:

There are countless articles about how to use Elastic to analyze events, find security issues, articles on how-to build Kibana dashboards etc.. etc... so I don't think I'll work on any of those. I'm going to next take a look at Elastic Agent, which is installed on the endpoint to send all of the proper data to Elastic.

Click here for a less than exciting conclusion, and DON'T get frustrated when you find out there are easier ways to accomplish the same objective! :)