This project demonstrates how to use the Fleet API to add
winlog integrations to a Fleet agent policy.
It will add a winlog input for each of the four Windows event log channels
described in the Winlogbeat 7.x.
module documentation. It incorporates the Beats script
processor logic
from the respective Winlogbeat module into the Agent policy.
Assumptions:
- Winlogbeat module scripts are from version v7.17.21.
- Fleet winlog integration version is 2.1.1.
- The "default" data stream namespace is used for all data streams.
- Each Windows event log channel is configured with its own data stream (e.g. logs-winlog.security-default).
- The mappings of the Fleet winlog integration are applied to the data.
- The listed commands are executed from a directory containing the
policy-*.json
files contained in this repository.
Pre-requirements:
- Record the ID of a Fleet agent policy to which you want the winlog
integration added. We'll set this as
AGENT_POLICY_ID
in our shell environment. - Obtain an Elasticsearch API key that can manage Fleet. We'll set this as
API_KEY
in our shell environment. - Get the URL to Kibana. We'll set this as
KIBANA_URL
in our shell environment.
If you run all four of the curl
commands below on an empty Fleet agent policy
then this will be the end result when viewing the policy.
This will add a new integration named winlog-powershell-operational
in your Agent policy.
# Substitute in your own environment variable values.
export API_KEY="exampleZWUJHTHZPZHRHMnlfci06Y3ByU0Jva1hUYWEwQmR0NzVZRlpSQQ=="
export AGENT_POLICY_ID="87323640-a676-11ed-b7ad-57c2b61f1488"
export KIBANA_URL="https://localhost:5601"
curl \
-XPOST \
--fail-with-body \
--header 'Content-Type: application/json' \
--header 'kbn-xsrf: true' \
--header "Authorization: ApiKey $API_KEY" \
"$KIBANA_URL/api/fleet/package_policies" \
-d @<(cat policy-winlog-powershell-operational.json | envsubst)
This will add a new integration named winlog-security
in your Agent policy.
# Substitute in your own environment variable values.
export API_KEY="exampleZWUJHTHZPZHRHMnlfci06Y3ByU0Jva1hUYWEwQmR0NzVZRlpSQQ=="
export AGENT_POLICY_ID="87323640-a676-11ed-b7ad-57c2b61f1488"
export KIBANA_URL="https://localhost:5601"
curl \
-XPOST \
--fail-with-body \
--header 'Content-Type: application/json' \
--header 'kbn-xsrf: true' \
--header "Authorization: ApiKey $API_KEY" \
"$KIBANA_URL/api/fleet/package_policies" \
-d @<(cat policy-winlog-security.json | envsubst)
This will add a new integration named winlog-sysmon
in your Agent policy.
# Substitute in your own environment variable values.
export API_KEY="exampleZWUJHTHZPZHRHMnlfci06Y3ByU0Jva1hUYWEwQmR0NzVZRlpSQQ=="
export AGENT_POLICY_ID="87323640-a676-11ed-b7ad-57c2b61f1488"
export KIBANA_URL="https://localhost:5601"
curl \
-XPOST \
--fail-with-body \
--header 'Content-Type: application/json' \
--header 'kbn-xsrf: true' \
--header "Authorization: ApiKey $API_KEY" \
"$KIBANA_URL/api/fleet/package_policies" \
-d @<(cat policy-winlog-sysmon.json | envsubst)
This will add a new integration named winlog-windows-powershell
in your Agent policy.
# Substitute in your own environment variable values.
export API_KEY="exampleZWUJHTHZPZHRHMnlfci06Y3ByU0Jva1hUYWEwQmR0NzVZRlpSQQ=="
export AGENT_POLICY_ID="87323640-a676-11ed-b7ad-57c2b61f1488"
export KIBANA_URL="https://localhost:5601"
curl \
-XPOST \
--fail-with-body \
--header 'Content-Type: application/json' \
--header 'kbn-xsrf: true' \
--header "Authorization: ApiKey $API_KEY" \
"$KIBANA_URL/api/fleet/package_policies" \
-d @<(cat policy-winlog-windows-powershell.json | envsubst)