如何部署带安全认证的WinLogBeat?
- By : Will
- Category : Elastic Stack
Elastic Stack
1 前言
一个问题,一篇文章,一出故事。
由于笔者需要收集Windows的日志,于是本章将整理Winlogbeat的安装并与LogStash集成。
Winlogbeat是基于Windows平台开发的日志收集代理,相当于Linux平台的Filebeat。
当然Filebeat在Windows平台也能使用,只是Winlogbeat优点在于可以根据event_id筛选日志。
2 最佳实践
2.1 配置LogStash日志收集端
Host Name = azlogstash.cmdschool.org
OS = Oracle Linux 9.x x86_64
IP Address = 10.168.0.103
详细配置教程如下,
2.2 配置WinLogBeat
2.2.1 下载软件包
cd ~\Downloads\ wget -Uri https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-8.14.1-windows-x86_64.msi -OutFile winlogbeat-8.14.1-windows-x86_64.msi
2.2.2 安装软件包
cd ~\Downloads\ .\winlogbeat-8.14.1-windows-x86_64.msi /passive
2.2.3 下载证书并解压
cd "$env:ProgramFiles\Elastic\Beats\8.14.1\winlogbeat" wget -Uri https://download.cmdschool.org/download/elastic-stack/winlogbeat/logstash.cmdschool.org_ca.zip -OutFile logstash.cmdschool.org_ca.zip Expand-Archive -LiteralPath .\logstash.cmdschool.org_ca.zip -DestinationPath .
需要注意的是,“logstash.cmdschool.org_ca.zip”为LogStash上生成的认证证书,如果使用如下命令查看解压的文件,
Get-ChildItem -Path *.crt, *.key
可见如下显示,
Directory: C:\Program Files\Elastic\Beats\8.14.1\winlogbeat
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/24/2024 2:05 PM 1359 ca.crt
-a---- 6/24/2024 2:05 PM 1249 logstash.cmdschool.org.crt
-a---- 6/24/2024 2:06 PM 1704 logstash.cmdschool.org.key
2.2.4 创建配置文件
notepad “$env:ProgramFiles\Elastic\Beats\8.14.1\winlogbeat\winlogbeat.yml”
加入如下配置,
winlogbeat.event_logs:
- name: Application
level: warning, error, critical
ignore_older: 72h
- name: Security
ignore_older: 168h
event_id: 4624, 4625, 4626, 4627, 4634, 4647, 4648, 4672, 4700-4801
- name: System
ignore_older: 168h
level: warning, error, critical
- name: Directory Service
ignore_older: 168h
level: warning, error, critical
- name: DNS Server
ignore_older: 168h
level: warning, error, critical
- name: DFS Replication
ignore_older: 168h
level: warning, error, critical
setup.template.settings:
index.number_of_shards: 3
output.logstash:
hosts: ["logstash.cmdschool.org:5044"]
ssl.certificate_authorities: ["C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\ca.crt"]
ssl.certificate: "C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\logstash.cmdschool.org.crt"
ssl.key: "C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\logstash.cmdschool.org.key"
processors:
- add_host_metadata:
或者,你可以使用如下命令快速生成,
$myText = @"
winlogbeat.event_logs:
- name: Application
level: warning, error, critical
ignore_older: 72h
- name: Security
ignore_older: 168h
event_id: 4624, 4625, 4626, 4627, 4634, 4647, 4648, 4672, 4700-4801
- name: System
ignore_older: 168h
level: warning, error, critical
- name: Directory Service
ignore_older: 168h
level: warning, error, critical
- name: DNS Server
ignore_older: 168h
level: warning, error, critical
- name: DFS Replication
ignore_older: 168h
level: warning, error, critical
setup.template.settings:
index.number_of_shards: 3
output.logstash:
hosts: ["logstash.cmdschool.org:5044"]
ssl.certificate_authorities: ["C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\ca.crt"]
ssl.certificate: "C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\logstash.cmdschool.org.crt"
ssl.key: "C:\\Program Files\\Elastic\\Beats\\8.14.1\\winlogbeat\\logstash.cmdschool.org.key"
processors:
- add_host_metadata:
"@
Set-Content -Path "$env:ProgramFiles\Elastic\Beats\8.14.1\winlogbeat\winlogbeat.yml" -Value $myText
然后,你需要使用如下命令测试配置,
cd "$env:ProgramFiles\Elastic\Beats\8.14.1\winlogbeat" .\winlogbeat.exe test config -c .\winlogbeat.yml
如果见到如下提示则表示无语法错误,
Config OK
2.2.5 注册服务
.\install-service-winlogbeat.ps1
另外,如果需要卸载注册,请使用如下命令,
.\uninstall-service-winlogbeat.ps1
2.2.6 启动服务
Start-Service winlogbeat
另外,如果需要停止服务,请使用如下命令,
Stop-Service winlogbeat
另外,如果你需要查看WinLogBeat服务的情况,可以考虑用如下命令,
services.msc
参阅文档
================
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html
没有评论