Skip to main content


Showing posts with the label Elasticsearch

Elasticsearch - Auditbeat

Depending upon your platform find the setup file below: Unzip the file, rename it to Auditbeat and copy the unzipped folder to C:\Program Files as below: Auditbeat 2. Open Powershell with Administrator privileges, and type the following: In case of code execution restriction, please check my post here . Once the installation is successful, modify the C:\Program Files\Auditbeat\auditbeat.yml file to establish the connection with Elastic Cloud tenant we created above. Scroll down and un-comment: "cloud-id" to enter the following: " Deployment:Cloud ID " cloud.auth: "username:<password>" I have masked the Cloud ID and password details for my deployment (Deployment-1) Enter the following commands in Powershell to load Kibana dashboards. The setup is ready.. Check on Kibana if the Windows Audit logs are getting populated in Kibana. The logs can be found by clicking on the compass icon in

Elasticsearch : Windows Event Logs : Winlogbeat

My first foray into the Security SIEM seems is going to be with the prodigal ELK stack. Keeping the discussion later, w.r.t. the pros, cons and features of ELK, let's dive into our first implementation (integration of Windows Server with ELK) For testing purpose, I have created a 14 day free trial that ELK offers. Go to Select Try Free Scroll down to find ElasticSearch and Click Launch on Elastic Cloud. It should ask for email details which needs to be verified. Create a Deployment. My deployment details are as below: Elasticsearch Deployment Click on the deployment to check the Cloud ID . Save this somewhere as this will be very crucial to direct traffic from endpoints to this Cloud Tenant Now, once the Cloud tenant is ready, let us install Winlogbeat on our Windows server to send Windows event logs to Kibana (ELK's GUI) Winlogbeat installation Download Winlogbeat from Extract the contents of the zip file to