Active Directory is a directory service developed by Microsoft for Windows domain networks. This integration allows you to send Active Directory logs to your Logz.io SIEM account.
Before you begin, you’ll need: Winlogbeat 8, Winlogbeat 7.0.0 or Winlogbeat 6.
Download the Logz.io public certificate
Logz.io public certificate
on your machine.
Configure Windows applications as an input
If you’re working with the default configuration file,
clear the content and start with a fresh file.
Paste this code block.
<<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.
# ... winlogbeat.event_logs: - name: Application ignore_older: 72h - name: Security - name: System fields: logzio_codec: json # Your Logz.io account token. You can find your token at # https://app.logz.io/#/dashboard/settings/manage-accounts token: <<LOG-SHIPPING-TOKEN>> type: wineventlog fields_under_root: true
If you’re running Winlogbeat 7 or 8, paste this code block. Otherwise, you can leave it out.
# ... For Winlogbeat 7 or 8 only ... processors: - rename: fields: - from: "agent" to: "beat_agent" ignore_missing: true - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true - rename: fields: - from: "log" to: "log_information" ignore_missing: true
Set Logz.io as the output
If Logz.io isn’t the output, set it now.
Winlogbeat can have one output only, so remove any other
<<LISTENER-HOST>> with the host for your region. For example,
listener.logz.io if your account is hosted on AWS US East, or
listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
# ... output.logstash: hosts: ["<<LISTENER-HOST>>:5015"] ssl: certificate_authorities: ['C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt']
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards.
If you still don’t see your logs, see log shipping troubleshooting.