Skip to main content

Active Directory via Winlogbeat

Active Directory is a directory service developed by Microsoft for Windows domain networks. This integration allows you to send Active Directory logs to your SIEM account.

Before you begin, you'll need: Winlogbeat 8, Winlogbeat 7.0.0 or Winlogbeat 6.

Download the public certificate

Download the public certificate to C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt on your machine.

Configure Windows applications as an input

If you're working with the default configuration file, (C:\Program Files\Winlogbeat\winlogbeat.yml) clear the content and start with a fresh file.

Paste this code block.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

# ...
- name: Application
ignore_older: 72h
- name: Security
- name: System

logzio_codec: json

# Your account token. You can find your token at
type: wineventlog
fields_under_root: true

If you're running Winlogbeat 7 or 8, paste this code block. Otherwise, you can leave it out.

# ... For Winlogbeat 7 or 8 only ...
- rename:
- from: "agent"
to: "beat_agent"
ignore_missing: true
- rename:
- from: "log.file.path"
to: "source"
ignore_missing: true
- rename:
- from: "log"
to: "log_information"
ignore_missing: true

Set as the output

If isn't the output, set it now.

Winlogbeat can have one output only, so remove any other output entries.

Replace <<LISTENER-HOST>> with the host for your region. For example, if your account is hosted on AWS US East, or if hosted on Azure West Europe.

# ...
hosts: ["<<LISTENER-HOST>>:5015"]
certificate_authorities: ['C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt']

Restart Winlogbeat

Restart-Service winlogbeat

Check for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see log shipping troubleshooting.