Microsoft Windows Event Log

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.

ProductSamurai [Local] CollectorSamurai [Cloud] Collector
Microsoft Windows Event LogPicture1.svg

Use this document to install and configure the Winlogbeat agent to send Microsoft Windows Event Logs to Samurai using the Samurai Local Collector deployed in your network.

To complete this Integration you will need to:

  1. Ensure correct network connectivity
  2. Download & install Winlogbeat
  3. Configure & Start Winlogbeat

notice_icon.png This guide is based on the premise of a single Samurai Local Collector installation with deployment of a single Windows host. Repeat these steps outlined in this guide for each Windows host and site.

Ensure correct network connectivity

You must ensure the following connectivity requirements are fulfilled:

SourceDestinationPortsDescription
Windows HostSamurai Local CollectorTCP/5044For log transmission

Download & Install Winlogbeat

Perform the steps outlined in Step 1: Install Winlogbeat as per the vendor documentation.

Configure & Start Winlogbeat

  1. Access the Winlogbeat installation folder and open and edit the file winlogbeat.yml.
  2. Modify the below template by replacing the section IP_OF_LOCAL_COLLECTOR with the IP address of the Samurai Local Collector.
# ======================== Winlogbeat specific options =========================
winlogbeat.event_logs:
  - name: Application
  - name: System
  - name: Security
  - name: Microsoft-Windows-Sysmon/Operational
# ------------------------------ Logstash Output -------------------------------
output.logstash:
  hosts: ["IP_OF_LOCAL_COLLECTOR:5044"]

notice_icon.png Default recommendation is to ingest logs from Application, System, Security and Sysmon (if used and installed). Optionally, if you want to ingest other event logs, follow the vendor guidelines to find the correct event log names to use and modify the template accordingly.

  1. Replace the default configuration of winlogbeat.yml with the modified template and save the file.
  2. Perform the steps outlined in Step 5: Start Winlogbeat as per the vendor documentation to start the service.

notice_icon.png The section about authorized to publish events can be ignored.