Monitoring Active Directory Users
- Download and install Winlogbeat from the Elastic website on the Windows machine. Download Winlogbeat.
- On the Analytics node, run: sudo rm -rf * inside /home/admin/xcollector and then run docker exec xcollect /home/logstash/generate_client_keys.sh <AN IP> client. It generates .pem files in /home/admin/xcollector.
- On the Analytics node machine, replace the winlogbeat.yml file from /opt/bigswitch/conf/x_collector/winlogbeat.yml to the one in the Windows server. Edit the logstash output section:
#----------------------------- Logstash output ---------------------------------- output.logstash: #Point agent to analytics IPv4 in hosts below hosts: ["10.2.5.10:5043"] #List of root certificates for HTTPS server verifications ssl.certificate_authorities: ["C:/Program Files/Winlogbeat/security/ca/cacert.pem"] #Certificate for SSL client authentication ssl.certificate: "C:/Program Files/Winlogbeat/security/clientcert.pem" #Client Certificate Key ssl.key: "C:/Program Files/Winlogbeat/security/clientkey.pem" - Using the recovery account, use an SCP application to transfer the .pem files from the Analytics node to the Windows machine and update their locations in winlogbeat.yml.
- On Windows, enter the powershell, navigate to winlogbeat.exe, and run: .install-service-winlogbeat.ps1 to install Winlogbeat.
- Test the configuration using “winlogbeat test config” to test winlogbeat.yml syntax and “winlogbeat test output” to test connectivity with logstash on the Analytics node.
- Run winlogbeat run -e to start Winlogbeat.