This guide will show you how to setup and integrate Winlogbeat into the Secure60 platform using Winlogbeat and a Secure60 Collector
This guide explains how to collect Windows event logs using Winlogbeat and forward them to a Secure60 Collector that emulates a Logstash endpoint. It replaces the need for Logstash, simplifying the pipeline. If you have any additional questions, don’t hesitate to contact Secure60 Support.
winlogbeat.yml
configuration file located at: C:\Program Files\Winlogbeat\winlogbeat.yml
with the following content:output.logstash:
hosts: ["<S60_COLLECTOR_IP_ADDRRESS>:5044"]
ssl.verification_mode: none
Ensure you replace <S60_COLLECTOR_IP_ADDRESS>
with the actual IP address of your Secure60 collector.
Note: ssl.verification_mode: none
is required because the Secure60 Collector uses a self-signed certificate. The TLS handshake works, but Winlogbeat rejects untrusted certificates unless verification is disabled.
Start-Service winlogbeat
.\winlogbeat.exe test output
If target machine connection is actively refusing (dial up ERROR
), keep trying the command until it says dial up OK
. This means Winlogbeat is finally connected with the collector, and logs will start showing up in the portal.
To check the status of Winlogbeat, use the command:
Get-Service winlogbeat
To restart the Winlogbeat service, use the command:
Restart-Service winlogbeat
Ensure that:
ssl.verification_mode: none
) with (ssl.enabled: false
), then keep trying step 5. What this does is disable SSL in the Winlogbeat configuration file to prevent TLS handshake errors, since the Winlogbeat client requires a valid certificate.We do not have an option in the collector to support Winlogbeat at the moment.
Logs and alerts can be viewed in the Secure60 portal.