This version is powered by (the opensource and free) ElasticSearch, Kibana and WinLogBeat:
Indeed the script basically install those solutions and configures them accordingly.
First of all. Nothing of that would be possible without Elastic Stack solutions and Jean-François Larvoire’s script on how to create a Windows Service using powershell
The script will:
- Enables the Event Forwarding on the Server
- Creates the Event Forwarding Subscriptions
- Install ElasticSearch
- Install Kibana*
- Install WinLogBeat
- Configure the Domain Controller to Forward Events**
- *Kibana does not create the Windows Service by default. The script does that and sets the service as depended of ElasticSearch
** *Even the script will try to configure the Event Forward Subscription on each Domain Controller. I advise to configure a GPO to set the Event Forward (a template GPO is available in the GPO folder is this repository) - https://github.com/ClaudioMerola/HFServerEventsV2/blob/master/Docs/GroupPolicy.md
The script expects the installation files from ElasticSearch, Kibana and WinLogBeats are present on the C: drive (at any folder) in the server:
-
Windows Server (I used Windows Server 2019 on the testing phase. But it should work on at least Windows Server 2012 R2)
-
ElasticSearch. (MSI Installer) can be downloaded from: https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0.msi
-
Kibana. Download the ZIP file from: https://artifacts.elastic.co/downloads/kibana/kibana-7.8.0-windows-x86_64.zip
-
WinLogBeat. (MSI Installer) can be downloaded from: https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.8.0-windows-x86_64.msi
- Just put everything together and run the script :)
- browse to http://servername:5601 and enjoy the WinLogBeat Dashboards
After the script finishes. If everything ran smoothly you should see events start to appear in the Forwarded Events in the Server
The next thing you should do is to open Internet Explorer on the server and browse to: http://localhost:5601. This will open Kibana Portal.
You should be presented with the Kibana home. At the home there are 3 main areas you will use:
- Dashboards (for overall view and consolidated status of Collector Server)
- Visualize (for custom reports and graphics of specific status)
- Discover (for details and event searches)
Details on how to use the “Discover” section are present in the (https://github.com/ClaudioMerola/HFServerEventsV2/blob/master/Docs/HowTo.md) document
In case you open the portal and is not presented with the Kibana home, or are presented with a screen asking to configure the index pattern. Re-run the script’s phase that configures the WinLogBeat:
In the back level this will run the WinLogBeat “Setup” parameter. That will create the Index Patterns, dashboards and etc. in Kibana