How to Implement ELK Stack for Windows Monitoring?
What is ELK?
“ELK” is the acronym for three open source projects: Elasticsearch, Logstash, and Kibana. Elasticsearch is a search and analytics engine. Logstash is a server‑side data processing pipeline that simultaneously ingests data from multiple sources, transforms it, and then sends it to a “stash” like Elasticsearch. Kibana lets users visualize data with charts and graphs in Elasticsearch
Environment:
- ElasticSearch Logstash Kibana
- Metricbeat and Winlogbeat
Explanation:
Prerequisite
Install latest JDK version and set JAVA_HOME Variable in environment variable.
Installation of Elasticsearch
- Download Elasticsearch for windows from the link
- Unzip Elasticsearch in one folder i.e., C:\ELKStack
- Copy path till bin folder i.e., C:\ELKStack\elasticsearch-7.8.1-windows-x86_64\elasticsearch-7.8.1\bin and set this path into environment variable under Path variable
- Run Elasticsearch.bat in command prompt (Make sure run command prompt as administrator)
- Check that Elasticsearch is up and running using localhost:9200 or ipaddress:9200 in any browser.
- For a more detailed installation process, please refer to this link
Installation of Kibana
- Download Kibana for windows from the link
- Unzip Kibana in one folder i.e., C:\ELKStack
- Copy path till bin folder, i.e., C:\ELKStack\kibana-7.8.1-windows-x86_64\kibana-7.8.1-windows-x86_64\bin and set this path into environment variable under Path variable.
Windows Monitoring
To implement windows monitoring, you have to install a winlogbeat to fetch the windows event data and enable some configuration in the yml file.
Steps:
1. Download the Winlogbeat zip file from the link
2. Extract the contents into C:\Program Files
3. Rename the winlogbeat-<version> directory to Winlogbeat
4. Configure winlogbeat.yml file
a. Set the host and port where Winlogbeat can find the Elasticsearch installation, and set the username and password of a user who is authorized to set up Winlogbeat.
b. Note: Username and password is optional
c. If you plan to use pre-built Kibana dashboards, configure the Kibana endpoint. Skip this step if Kibana is running on the same host as Elasticsearch.
6. Start winlogbeat service from service.msc
7. Open the kibana application from localhost:5601, go to the dashboard tab, and find the dashboard that is enabled through winlogbeat. For example, some are some below:
Azure and AWS Monitoring
To implement azure and AWS KPI in kibana, you need to install metericbeat and change some configuration in metricbeat.yml file.
Steps:
- Download the Metricbeat zip file from the link
- Extract the contents into C:\Program Files
- Rename the Metricbeat -<version> directory to Metricbeat
- Configure metricbeat.yml file
a. Set the host and port where metricbeat can find the Elasticsearch installation, and set the username and password of a user authorized to set up Metricbeat.
b. Note: Username and password is optional
c. If you plan to use pre-built Kibana dashboards, configure the Kibana endpoint. Skip this step if Kibana is running on the same host as Elasticsearch.
Note: Username and password is optional
8. Start metricbeat service from service.msc
9. Open the kibana application from localhost:5601, go to the dashboard tab, and find the dashboard that is enabled through metricbeat. For example, some are some below:
10. Also, many pre-built dashboards are loaded in Kibana, which includes the Azure and AWS monitoring shown below:
11. If you want to add a new dataset, then you need to change the index pattern of the metricbeat from where the data sets are loaded. The image below displays the index pattern in kibana:
Users can load the data from here.
We hope you are now thorough in how ELK Stack implementation is easy and doable. In case you still have any queries, do not hesitate to get in touch with an expert at DEV IT here.