Sending Windows Logs to the ELK Stack – Part 3

Hello, my digital adventurers! In this article, I will show you how to send Windows Sysmon logs to your ELK Stack. I recommend reading my previous articles on setting up ELK and the agent before proceeding with this guide.

Installing and Configuring ELK Stack — Part 1

Setting Up Fleet Server and Elastic Agent — Part 2

First of all, we need to install Sysmon on our Windows machine where Elastic Agent resides on.

• Download Sysmon from this link and extract it from the zip.

• Then we need to go to this github page and download the sysmon config file.

• Copy the configuration file to the Sysmon folder where we just extracted it. Then, open PowerShell as Administrator, navigate to this folder, and run the following command:

.\Sysmon64.exe -i sysmonconfig.xml

Now, open Kibana by navigating to http://[ELK-IP]:5601, then follow the steps below.

• Open the Integrations tab from the left menu, and type ‘Windows’ into the search bar. You will see ‘Custom Windows Event Logs.’ Click on it.

• Click “Add Custom Windows Event Logs” button.

• You will see the following…