Back to top
This guide will show you how to setup and integrate Winlogbeat into the Secure60 platform using Winlogbeat and a Secure60 Collector
This guide explains how to collect Windows event logs using Winlogbeat and forward them to a Secure60 Collector that emulates a Logstash endpoint. It replaces the need for Logstash, simplifying the pipeline. If you have any additional questions, don’t hesitate to contact Secure60 Support.
winlogbeat.yml configuration file located at: C:\Program Files\Winlogbeat\winlogbeat.yml with the following content:output.logstash:
hosts: ["<S60_COLLECTOR_IP_ADDRRESS>:5044"]
ssl.verification_mode: none
Ensure you replace <S60_COLLECTOR_IP_ADDRESS> with the actual IP address of your Secure60 collector.
Note: ssl.verification_mode: none is required because the Secure60 Collector uses a self-signed certificate. The TLS handshake works, but Winlogbeat rejects untrusted certificates unless verification is disabled.
Start-Service winlogbeat
.\winlogbeat.exe test output
If target machine connection is actively refusing (dial up ERROR), keep trying the command until it says dial up OK. This means Winlogbeat is finally connected with the collector, and logs will start showing up in the portal.
To check the status of Winlogbeat, use the command:
Get-Service winlogbeat
To restart the Winlogbeat service, use the command:
Restart-Service winlogbeat
Ensure that:
ssl.verification_mode: none) with (ssl.enabled: false), then keep trying step 5. What this does is disable SSL in the Winlogbeat configuration file to prevent TLS handshake errors, since the Winlogbeat client requires a valid certificate.We do not have an option in the collector to support Winlogbeat at the moment.
Logs and alerts can be viewed in the Secure60 portal.