L0340 OPTICS: WINLOGBEAT & LOGSTASH
- WinLogBeat - Update Config Files
- Installation of WinLogBeat as a Service
- Check Kibana Dashboard for Log Processing
WinLogBeat is one of the tools used to ship logs from Windows hosts to a defined data ingestor. Filebeat can be used for Linux, Mac, pfSense, and BSD log shipping. This lab utilizes Logstash for Windows event log ingestion. The Logstash service runs on the lab’s Linux server and listens for inbound data. Logstash then collects, parses, and transforms the log data.
- Complete part 4 of 4 of the Optics Infrastructure
- Verify service operations on the Elastic server
- Configure WinLogBeat to ship logs from the Windows Event Collector (WEC) to Elastic
- Verify logs are flowing to Elastic using the Kibana interface
Connect to the ELK system using putty and check that the docker containers are running properly. Install and Configure WinLogBeat on the Domain Controller (WEC). Verify that the Kibana interface is accessible. On the Windows 10 workstation, attempt to create suspicious logs. Lastly, hunt for the suspicious logs in Kibana.
WinLogBeat - Update Config Files
Login to Domain Controller
Connect via Remote Desktop to the Domain Controller, DC01.
See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu. See Lab L0250 for instruction on launching PowerShell.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
dc01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Update WinLogBeats Config
The WinLogBeats configuration is set in the winlogbeat.yml file provided with WinLogBeats. We will rename the original file and retain it for reference. We will then copy the Course Lab provided WinLogBeat configuration file from the Course Repo to the WinLogBeat install location.
mv C:\LABS\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\winlogbeat.yml C:\LABS\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\winlogbeat.yml.old
cp C:\labs\LabPack\LABPACK-master\Lab-WinLogBeat\winlogbeat.yml C:\LABS\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\winlogbeat.yml
ls C:\LABS\WinLogBeat\winlogbeat-7.10.2-windows-x86_64
PS C:\Users\itadmin> mv C:\LABS\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\winlogbeat.yml C:\LABS\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\winlogbeat
.yml.old
PS C:\Users\itadmin> cp C:\labs\LabPack\LABPACK-master\Lab-WinLogBeat\winlogbeat.yml C:\LABS\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\winlogb
eat.yml
PS C:\Users\itadmin> ls C:\LABS\WinLogBeat\winlogbeat-7.10.2-windows-x86_64
Directory: C:\LABS\WinLogBeat\winlogbeat-7.10.2-windows-x86_64
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/1/2021 2:38 AM kibana
d----- 2/1/2021 2:38 AM module
-a---- 1/12/2021 11:32 PM 41 .build_hash.txt
-a---- 1/12/2021 11:30 PM 228184 fields.yml
-a---- 1/12/2021 11:32 PM 897 install-service-winlogbeat.ps1
-a---- 1/12/2021 9:58 PM 13675 LICENSE.txt
-a---- 1/12/2021 10:00 PM 8566190 NOTICE.txt
-a---- 1/12/2021 11:32 PM 837 README.md
-a---- 1/12/2021 11:32 PM 254 uninstall-service-winlogbeat.ps1
-a---- 1/12/2021 11:32 PM 65788416 winlogbeat.exe
-a---- 1/12/2021 11:30 PM 60217 winlogbeat.reference.yml
-a---- 10/29/2020 7:06 PM 2582 winlogbeat.yml
-a---- 1/12/2021 11:30 PM 8778 winlogbeat.yml.old
PS C:\Users\itadmin>
With the updated configuration file in place, we now look to the installation of WinLogBeats.
Installation of WinLogBeat as a Service
Login to Domain Controller
Connect via Remote Desktop to the Domain Controller, DC01.
See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu. See Lab L0250 for instruction on launching PowerShell.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
dc01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
WinLogBeat Installation
Because the WinLogBeat installation utilizes a PS1 PowerShell script, we will need to launch a new PowerShell session with the -Exec "bypass" argument. This allows the execution of unsigned PS1 scripts.
cd c:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\
powershell -Exec bypass -File .\install-service-winlogbeat.ps1
PS C:\Users\itadmin> cd c:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\
PS C:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64> powershell -Exec bypass -File .\install-service-winlogbeat.ps1
Status Name DisplayName
------ ---- -----------
Stopped winlogbeat winlogbeat
The service has been installed and configured. It is currently in a stopped state.
Configure WinLogBeat to AutoStart
We will use the Set-Service PowerShell module to update the service configuration of the WinLogBeat service.
Set-Service -Name "winlogbeat" -StartupType automatic
Start-Service -Name "winlogbeat"
Get-Service winlogbeat
PS C:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64> Set-Service -Name "winlogbeat" -StartupType automatic
PS C:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64> Start-Service -Name "winlogbeat"
PS C:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64> Get-Service winlogbeat
Status Name DisplayName
------ ---- -----------
Running winlogbeat winlogbeat
Note that the service is now running and configured to AutoStart with the Domain Controller.
Test WinLogBeat Operations
We now can test the operations of WinLogBeat to ensure the installation and configuration completed successfully.
cd c:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\
.\winlogbeat.exe test config -c .\winlogbeat.yml -e
The most important return from these commands are the last line saying "Config OK"
PS C:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64> cd c:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\
PS C:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
2020-06-27T19:14:09.319Z INFO instance/beat.go:621 Home path: [C:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64] Config path: [C:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64] Data path: [C:\labs\WinLogBeat\winlogbeat-7.10.2-wi
ndows-x86_64\data] Logs path: [C:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\logs]
2020-06-27T19:14:09.399Z INFO instance/beat.go:629 Beat ID: 4ac541c2-2c12-413d-9287-71cc786636ba
2020-06-27T19:14:09.412Z INFO [beat] instance/beat.go:957 Beat info {"system_info": {"beat": {"path": {"config": "C:\\labs\\WinLogBeat\\winlogbeat-7.10.2-windows-x86_64", "data": "C:\\labs\\WinLogBeat\\winlogbeat-7.10.2-window
s-x86_64\\data", "home": "C:\\labs\\WinLogBeat\\winlogbeat-7.10.2-windows-x86_64", "logs": "C:\\labs\\WinLogBeat\\winlogbeat-7.10.2-windows-x86_64\\logs"}, "type": "winlogbeat", "uuid": "4ac541c2-2c12-413d-9287-71cc786636ba"}}}
2020-06-27T19:14:09.412Z INFO [beat] instance/beat.go:966 Build info {"system_info": {"build": {"commit": "932b273e8940575e15f10390882be205bad29e1f", "libbeat": "7.10.2", "time": "2020-05-28T15:33:20.000Z", "version": "7.10.2"}
}}
2020-06-27T19:14:09.412Z INFO [beat] instance/beat.go:969 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":2,"version":"go1.13.9"}}}
2020-06-27T19:14:09.418Z INFO [beat] instance/beat.go:973 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-06-27T18:40:19.44Z","name":"dc01","ip":["fe80::f101:b9bb:3c1b:313e/64","10.10.98.10/24",
"::1/128","127.0.0.1/8","fe80::5efe:a0a:620a/128","fe80::ffff:ffff:fffe/64"],"kernel_version":"10.0.14393.3750 (rs1_release.200601-1853)","mac":["00:0d:3a:96:b8:3d","00:00:00:00:00:00:00:e0","00:00:00:00:00:00:00:e0"],"os":{"family":"windows","
platform":"windows","name":"Windows Server 2016 Datacenter","version":"10.0","major":10,"minor":0,"patch":0,"build":"14393.3750"},"timezone":"GMT","timezone_offset_sec":0,"id":"71e70d09-2b67-46e7-a438-0870c3595bc9"}}}
2020-06-27T19:14:09.424Z INFO [beat] instance/beat.go:1002 Process info {"system_info": {"process": {"cwd": "C:\\labs\\WinLogBeat\\winlogbeat-7.10.2-windows-x86_64", "exe": "C:\\LABS\\WinLogBeat\\winlogbeat-7.10.2-windows-x86_64\\
winlogbeat.exe", "name": "winlogbeat.exe", "pid": 3292, "ppid": 5000, "start_time": "2020-06-27T19:14:06.874Z"}}}
2020-06-27T19:14:09.425Z INFO instance/beat.go:297 Setup Beat: winlogbeat; Version: 7.10.2
2020-06-27T19:14:09.426Z INFO [publisher] pipeline/module.go:110 Beat name: dc01
2020-06-27T19:14:09.427Z INFO beater/winlogbeat.go:69 State will be read from and persisted to C:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64\data\.winlogbeat.yml
Config OK
PS C:\labs\WinLogBeat\winlogbeat-7.10.2-windows-x86_64>
Note the last line states "Config OK"
You may now disconnect from the Domain Controller, DC01.
Check Kibana Dashboard for Log Processing
In this step, we will make an initial connection to Kibana and go directly to the "Discover Dasbhoard" to ensure that logs are being sent to the HELK SIEM. Elastisearch may take a few minutes to index the domain's logs up to this point, so feel to freshen your tea, if you are so inclined.
Access Kibana on the (H)ELK SIEM
Using Chrome or Internet Explorer on Member Server, access the Kibana URI and login using the credentials below.
URL: https://10.10.98.20
Username: helk
Password: hunting
Discovery Dashboard
After logging in, you should be presented with the Kibana Interface. Press the Discover Dashboard Icon.
Ensure that the "logs-*" is selected. You should have logs presented in the interface
If you have found logs in the Kibana Interface, you have completed this lab. The next lab will cover Kibana Navigation.
