Deploy Winlogbeat Using Group Policy (GPO)

This guide will configure Winlogbeat to pipe sysmon and powershell loging to logstash, and deploy itself as a service for all endpoints.

It assumes that the previous ELK / Elastic stack set up was installed and configured successfully and that Sysmon and PowerShell script logging has been enabled via GPO on all endpoints.

Download

Winlogbeat

Winglogbeat config yml file

GPO Powershell Script

Copy logstash-forwarder.crt from your ELK instance with pscp.

pscp.exe <username>@<ELK IP>:/etc/pki/tls/certs/logstash-forwarder.crt .

Create winlogbeat folder in SYSVOL and copy files

C:\>dir /b \\dc.internal.local\sysvol\internal.local\winlogbeat
install.ps1
logstash-forwarder.crt
winlogbeat-7.4.2-windows-x86_64.zip
winlogbeat.yml

Configure

winlogbeat.yml has been already been configured to pipe sysmon and powershell logging to logstash.

Point winlogbeat.yml to your logstash host / IP

output.logstash:
  # The Logstash hosts
  hosts: ["<ELK IP>:5044"]

Modify install.ps1 as required

$source = '\\dc.internal.local\sysvol\internal.local\winlogbeat\winlogbeat-7.4.2-windows-x86_64.zip'
$cert = '\\dc.internal.local\sysvol\internal.local\winlogbeat\logstash-forwarder.crt'
$config = '\\dc.internal.local\sysvol\internal.local\winlogbeat\winlogbeat.yml'

Create and link a Deploy Winlogbeat GPO

GPO Deploy Winlogbeat