โ Check
- Winlogbeat service is running
- Security logs present in Event Viewer
- Static export path created (e.g.,
C:\ProgramData\winlogbeat\opforge-export\) - SOF-ELK reachable via IP (e.g.,
192.168.77.40)
โ๏ธ Do
Modify winlogbeat.yml:
output.file:
path: "C:/ProgramData/winlogbeat/opforge-export"
filename: "winlogbeat.json"
rotate_every_kb: 10000
number_of_files: 5
codec.format:
string: '%{[message]}'
Restart Winlogbeat:
Restart-Service winlogbeat
๐ Check
.ndjsonfiles appear in the export directory- Each entry is valid line-separated JSON
- Key events (e.g., 4624, 4688, 1102) are present