TIPS: Honghu version of this article: 2.10.0 and above
Overview
This article is refined and extended based on the article " IT Operation and Maintenance: Using Honghu to Collect Windows Event Log Data " (hereinafter referred to as the original text). It mainly includes refining the installation steps and adding a dashboard.
Honghu terminal configuration
Create dataset and data source types
Log in to Honghu to create a data set and data type in advance. What I created here is a winlog data set, which will be used to configure vector.toml in "Installing Vector" below. As shown below:
Open vector_input on Honghu, select Import from external data > Edit, select the data set range, create the winlog as shown above, and click OK. This configuration means that vector will receive data through port 20000 and save it to the specified data set winlog.
Windows side configuration
On the windows side, you need to install Winlogbeat first, and then install vector.
●Winlogbeat is responsible for collecting windows eventlog
●Vector is responsible for sending windows eventlog to Honghu
Install Winlogbeat
Download winlogbeat
(https://www.elastic.co/cn/downloads/beats/winlogbeat)
Unzip the downloaded package to C:\ and rename winlogbeat- to winlogbeat
Open the PowerShell prompt as administrator
(Optional).\install-service-winlogbeat.ps1 error resolution
Check if the service is running
Enter the installation directory, which defaults to C:\winlogbeat. Modify the configuration file winlogbeat.yml, delete all the contents, and keep only this part.
TIPS:
winlogbeat can collect various Windows event logs, such as Application, System and Security. Its configuration file can be modified to reduce or increase monitoring items. The configuration file path is as follows:
If you modify the configuration file, you can test it with the following command
Winlogbeat will generate a data directory named data in the startup directory of the winlogbeat.exe process. If you want Winlogbeat to reacquire all event log data, you can delete the directory after the winlogbeat.exe process stops running, and then restart it.
Install vector
Download vector
Unzip the downloaded package to c:\ and rename it to vector (the main purpose of renaming is to make it easy to call from the command line)
Enter the c:\vector\config directory and modify the vector.toml configuration file
Open powershell and run vector
At this time, log in to Honghu and you can see that the data has been sent to Honghu. After logging in to Honghu, view the data as follows:
After verifying that there is no problem, configure the vector to run automatically at boot
Open the service and set it to start automatically at boot
If the configuration is wrong, delete the service. If there is an error after deletion, it will prompt deleteservice failed 1072. Just log out and log in again.
Dashboard
I have created a data analysis dashboard for windows event log and saved it as a configuration file. You can directly import the dashboard configuration file (see attachment at the end of the article) to create it. If your dataset name is different from mine, you need to change the dataset name.
Dashboard import
Create a new dashboard > Select the dashboard configuration file > Browse and select the dashboard file you want to import.
Dashboard display
The rendering mainly contains two parts, the first part is an event overview, and the second part is the analysis of login events.
Dashboard file
Windows Event Dashboard.json(18 kB)
(For specific documents, please join the Honghu technical exchange group and go to the knowledge base to obtain them)
Solving incomplete Windows event logs
Phenomenon
If you find that the data you come in is incomplete, it is because winlogbeat will generate a data directory named data in the startup directory of the winlogbeat.exe process. A checkpoint will be generated here. If you interrupt this process, it may fail when you run it again. Starting from the next checkpoint, that is to say, your data will not be complete at this time. It will read data from the new checkpoint, not from the last checkpoint you planned.
Solution
To let Winlogbeat reacquire all event log data, you can delete the directory after the winlogbeat.exe process stops running, and then restart it. Methods as below:
Delete the data in the data set on YHP first to avoid duplicate data when entering the data later.
ctrl+c stops vector data input
Delete data directory
Rerun vector
Query again and find that the data entries are normal.
