ELK Stack Setup (Windows + Winlogbeat + Kibana)
- Maryam Ziaee
- 4 days ago
- 1 min read
A complete solution for log management, security monitoring, and real-time analytics
1. Start Elasticsearch
Open PowerShell
Navigate to Elasticsearch:
cd C:\elasticsearch\elasticsearch-9.3.2\bin
.\elasticsearch.bat
Verify:
2. Start Kibana
Go to Kibana folder:
cd C:\kibana-9.3.2\bin
.\kibana.bat
Open:
3. Fix Kibana Authentication
Do NOT use elastic user
Use service account instead:
In kibana.yml:
elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "<your-password>"
4. Configure Winlogbeat
Edit winlogbeat.yml:
winlogbeat.event_logs:
- name: Application
- name: System
- name: Security
output.elasticsearch:
hosts: ["http://localhost:9200"]
username: "elastic"
password: "<your-password>"
5. Test Winlogbeat
.\winlogbeat.exe test config
.\winlogbeat.exe test output
Expected:
Config OK
connection... OK
6. Start Winlogbeat
.\winlogbeat.exe -e
7. Create Data View (Index Pattern)
In Kibana:
Go to Stack Management → Data Views
Create:
winlogbeat-*
Select @timestamp
8. Verify Logs (Discover)
Go to Discover
Select winlogbeat-*
Test filters:
event.code: 4624
event.code: 4625
✔ 4624 → Successful login
❌ 4625 → Failed login
9. Create Dashboard
Go to Dashboard → Create
Add visualization (e.g. bar chart)
Use:
X-axis: @timestamp
Breakdown: event.code
Common Issues
❌ Kibana not loading
Check Elasticsearch is running
❌ Permission error
Don’t use elastic in Kibana
❌ No logs
Ensure Security log is enabled in Winlogbeat
Final Result
Logs visible in Discover
Data view created
Dashboard working
Ready for alerts & monitoring
Comments