如何部署带安全认证的WinLogBeat?

Elastic Stack

1 前言

一个问题,一篇文章,一出故事。
由于笔者需要收集Windows的日志,于是本章将整理Winlogbeat的安装并与LogStash集成。
Winlogbeat是基于Windows平台开发的日志收集代理,相当于Linux平台的Filebeat。
当然Filebeat在Windows平台也能使用,只是Winlogbeat优点在于可以根据event_id筛选日志。

2 最佳实践

2.1 配置LogStash日志收集端

Host Name = azlogstash.cmdschool.org
OS = Oracle Linux 9.x x86_64
IP Address = 10.168.0.103
详细配置教程如下,

如何部署带安全认证的Logstash?

2.2 配置WinLogBeat

2.2.1 下载软件包

cd ~\Downloads\
wget -Uri https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-8.14.1-windows-x86_64.msi -OutFile winlogbeat-8.14.1-windows-x86_64.msi

2.2.2 安装软件包

cd ~\Downloads\
.\winlogbeat-8.14.1-windows-x86_64.msi /passive

2.2.3 下载证书并解压

cd "$env:ProgramFiles\Elastic\Beats\8.14.1\winlogbeat"
wget -Uri https://download.cmdschool.org/download/elastic-stack/winlogbeat/logstash.cmdschool.org_ca.zip -OutFile logstash.cmdschool.org_ca.zip
Expand-Archive -LiteralPath .\logstash.cmdschool.org_ca.zip -DestinationPath .

需要注意的是,“logstash.cmdschool.org_ca.zip”为LogStash上生成的认证证书,如果使用如下命令查看解压的文件,

Get-ChildItem -Path *.crt, *.key

可见如下显示,

    Directory: C:\Program Files\Elastic\Beats\8.14.1\winlogbeat


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/24/2024   2:05 PM           1359 ca.crt
-a----        6/24/2024   2:05 PM           1249 logstash.cmdschool.org.crt
-a----        6/24/2024   2:06 PM           1704 logstash.cmdschool.org.key

2.2.4 创建配置文件

notepad “$env:ProgramFiles\Elastic\Beats\8.14.1\winlogbeat\winlogbeat.yml”

加入如下配置,

winlogbeat.event_logs:
  - name: Application
    level: warning, error, critical
    ignore_older: 72h
  - name: Security
    ignore_older: 168h
    event_id: 4624, 4625, 4626, 4627, 4634, 4647, 4648, 4672, 4700-4801
  - name: System
    ignore_older: 168h
    level: warning, error, critical
  - name: Directory Service
    ignore_older: 168h
    level: warning, error, critical
  - name: DNS Server
    ignore_older: 168h
    level: warning, error, critical
  - name: DFS Replication
    ignore_older: 168h
    level: warning, error, critical
setup.template.settings:
  index.number_of_shards: 3
output.logstash:
  hosts: ["logstash.cmdschool.org:5044"]
  ssl.certificate_authorities: ["C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\ca.crt"]
  ssl.certificate: "C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\logstash.cmdschool.org.crt"
  ssl.key: "C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\logstash.cmdschool.org.key"
processors:
  - add_host_metadata:

或者,你可以使用如下命令快速生成,

$myText = @"
winlogbeat.event_logs:
  - name: Application
    level: warning, error, critical
    ignore_older: 72h
  - name: Security
    ignore_older: 168h
    event_id: 4624, 4625, 4626, 4627, 4634, 4647, 4648, 4672, 4700-4801
  - name: System
    ignore_older: 168h
    level: warning, error, critical
  - name: Directory Service
    ignore_older: 168h
    level: warning, error, critical
  - name: DNS Server
    ignore_older: 168h
    level: warning, error, critical
  - name: DFS Replication
    ignore_older: 168h
    level: warning, error, critical
setup.template.settings:
  index.number_of_shards: 3
output.logstash:
  hosts: ["logstash.cmdschool.org:5044"]
  ssl.certificate_authorities: ["C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\ca.crt"]
  ssl.certificate: "C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\logstash.cmdschool.org.crt"
  ssl.key: "C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\logstash.cmdschool.org.key"
processors:
  - add_host_metadata:
"@
Set-Content -Path "$env:ProgramFiles\Elastic\Beats\8.14.1\winlogbeat\winlogbeat.yml" -Value $myText

然后,你需要使用如下命令测试配置,

cd "$env:ProgramFiles\Elastic\Beats\8.14.1\winlogbeat"
.\winlogbeat.exe test config -c .\winlogbeat.yml

如果见到如下提示则表示无语法错误,

Config OK

2.2.5 注册服务

.\install-service-winlogbeat.ps1

另外,如果需要卸载注册,请使用如下命令,

.\uninstall-service-winlogbeat.ps1

2.2.6 启动服务

Start-Service winlogbeat

另外,如果需要停止服务,请使用如下命令,

Stop-Service winlogbeat

另外,如果你需要查看WinLogBeat服务的情况,可以考虑用如下命令,

services.msc

参阅文档
================
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html

没有评论

发表回复

Elastic Stack
如何配置logstash的持久队列?

1 前言 一个问题,一篇文章,一出故事。 昨天15:37:37~15:46:28运行于Microso …

Elastic Stack
如何重启Elasticsearch集群的节点?

1 前言 一个问题,一篇文章,一出故事。 由于笔者需要对Elasticsearch的机器进行硬件升级 …

Elastic Stack
如何查看logstash的插件?

1 前言 一个问题,一篇文章,一出故事。 笔者由于需要检查Logstash的插件,于是整理此章节。 …