Winlogbeat - Integration Guide

This guide will show you how to setup and integrate Winlogbeat into the Secure60 platform using Winlogbeat and a Secure60 Collector

Overview

This guide explains how to collect Windows event logs using Winlogbeat and forward them to a Secure60 Collector that emulates a Logstash endpoint. It replaces the need for Logstash, simplifying the pipeline. If you have any additional questions, don’t hesitate to contact Secure60 Support.

Install Winlogbeat

  1. (Prerequisite) Install the Secure60 Collector
  2. Download and install the Winlogbeat MSI from the official website
  3. Modify the winlogbeat.yml configuration file located at: C:\Program Files\Winlogbeat\winlogbeat.yml with the following content:
output.logstash:
   hosts: ["<S60_COLLECTOR_IP_ADDRRESS>:5044"]
   ssl.verification_mode: none

Ensure you replace <S60_COLLECTOR_IP_ADDRESS> with the actual IP address of your Secure60 collector.

Note: ssl.verification_mode: none is required because the Secure60 Collector uses a self-signed certificate. The TLS handshake works, but Winlogbeat rejects untrusted certificates unless verification is disabled.

  1. Start the Winlogbeat service
Start-Service winlogbeat
  1. To test if Winlogbeat is connected with the collector, use the command:
.\winlogbeat.exe test output

If target machine connection is actively refusing (dial up ERROR), keep trying the command until it says dial up OK. This means Winlogbeat is finally connected with the collector, and logs will start showing up in the portal.

To check the status of Winlogbeat, use the command:

Get-Service winlogbeat

To restart the Winlogbeat service, use the command:

Restart-Service winlogbeat

Troubleshooting Notes

Ensure that:

Integrate with Secure60 Collector

We do not have an option in the collector to support Winlogbeat at the moment.

Logs and alerts can be viewed in the Secure60 portal.

Back to top