ansible-role-winlogbeat

This is an Ansible role that installs Winlogbeat to monitor Windows logs.

Supported Platforms:

• Windows 10
• Windows Server 2019
• Windows Server 2016

Requirements:

None

Role Variables:

This section defines variables in the defaults/main.yml file.

winlogbeat_event_logs:
  channels:
    - name: Application
      ignore_older: "72h"
    - name: System
      ignore_older: "72h"
  security: true
  sysmon: false
  powershell: true
  wef: false

winlogbeat_output:
  type: "elasticsearch"
  elasticsearch:
    hosts:
      - "localhost:9200"
    security:
      enabled: false

winlogbeat_processors: |
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

winlogbeat_service:
  install_path_64: "C:\\Program Files\\Elastic\\winlogbeat"
  install_path_32: "C:\\Program Files (x86)\\Elastic\\winlogbeat"
  version: "7.9.1"
  download: true

Note: The winlogbeat_service.download variable determines if the installation zip file should be downloaded from https://artifacts.elastic.co/ or copied from the Ansible server. If your servers don't have internet access, download the zip file and place it in the .files/ folder without changing its name.

Caution: Ensure that install_path_64 and install_path_32 end with \winlogbeat. The final cleanup task removes everything from the installation path that does not include the current Winlogbeat version number!

Dependencies:

None.

Example Playbook:

Here is an example playbook that changes the installation location, collects Windows Defender logs, filters out noisy security events using processors, and sets up Redis output.

- name: Install winlogbeat to workstations
  hosts:
    - workstations
  vars:
    winlogbeat_service:
       install_path_64: "C:\\Program Files\\monitoring\\winlogbeat"
       install_path_32: "C:\\Program Files (x86)\\monitoring\\winlogbeat"
       version: "7.9.1"
       download: false
    winlogbeat_event_logs:
      channels:
        - name: Application
          ignore_older: "72h"
        - name: System
          ignore_older: "72h"
        - name: Microsoft-Windows-Windows Defender/Operational
          ignore_older: "72h"
      security: true
      security_processors: |
          - drop_event.when.or:
        - equals.winlog.event_id: 4656 # A handle to an object was requested.
        - equals.winlog.event_id: 4658 # The handle to an object was closed.
        - equals.winlog.event_id: 4659 # A handle to an object was requested with intent to delete.
        - equals.winlog.event_id: 4660 # An object was deleted.
        - equals.winlog.event_id: 4663 # An attempt was made to access an object.
        - equals.winlog.event_id: 4664 # An attempt was made to create a hard link.
        - equals.winlog.event_id: 4691 # Indirect access to an object was requested.
      powershell: true
      sysmon: true
      wef: false
    winlogbeat_template:
      enabled: false
    winlogbeat_general:
      tags:
        - "workstation"
        - "winlogbeat"
    winlogbeat_output:
      type: "redis"
      redis:
        hosts:
          - "192.168.24.33:6379"
        password: "my_super_long_redis_password_because_redis_is_fast"
        key: "winlogbeat-workstation"

License:

MIT

Author Information:

j91321

Notes:

The role includes a template compatible with Winlogbeat 6 located in ./templates/winlogbeat6.yml.j2. To use this template, either replace winlogbeat.yml.j2 or modify the tasks accordingly.