Skip to content

Connect Windows Endpoints

Once the App Node and GPU Node are running, connect your Windows endpoints so they start reporting in.

To monitor a Windows machine, install two components on it:

  1. Sysmon — the collector. It records detailed process, network, and file activity to the Windows event log.
  2. Winlogbeat — the shipper. It reads Sysmon's events and forwards them to the appliance's Kafka listener.
flowchart LR
    subgraph EP["Windows endpoint"]
        SM["Sysmon<br>(collector)"] -- "writes events" --> EVT["Windows event log<br>(Sysmon/Operational channel)"]
        EVT -- "read by" --> WB["Winlogbeat<br>(shipper)"]
    end
    WB -- "sysmon-logs topic · TCP 29092" --> K["App Node<br>Kafka listener"]

Install them in that order: Winlogbeat reads the Microsoft-Windows-Sysmon/Operational channel, which does not exist until Sysmon is installed.

Run all of the commands below in an Administrator PowerShell session on the endpoint.

Step 1 — Install Sysmon (the collector)

Download Sysmon from Microsoft Sysinternals and extract it:

cd C:\
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sysmon.zip" -OutFile Sysmon.zip
Expand-Archive -Path Sysmon.zip -DestinationPath "C:\Program Files\Sysmon"

Add the configuration. Sysmon does almost nothing useful without one — the configuration decides which events are recorded and which noise is filtered out. Logster ships a ready-to-use baseline: download sysmon-config.xml and save it on the endpoint as:

C:\Program Files\Sysmon\sysmon-config.xml

It is a high-signal baseline that records the process, network, and file activity Logster analyzes while filtering out routine Windows noise. It is based on the widely-used community SwiftOnSecurity sysmon-config (licensed CC BY 4.0; attribution is retained in the file header).

[!NOTE] The configuration requires Sysmon 13 or newer (the Sysmon.zip download above is always the latest version, so this is satisfied automatically).

Install Sysmon with the configuration:

cd "C:\Program Files\Sysmon"
.\Sysmon64.exe -accepteula -i sysmon-config.xml

Verify the service is running:

Get-Service Sysmon64

It should report Running. Sysmon now starts automatically on every boot.

[!TIP] To apply an updated configuration later — without reinstalling — use:

cd "C:\Program Files\Sysmon"
.\Sysmon64.exe -c sysmon-config.xml

Step 2 — Install and configure Winlogbeat (the shipper)

Download Winlogbeat

cd C:\
Invoke-WebRequest -Uri "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-8.17.0-windows-x86_64.zip" -OutFile winlogbeat.zip
Expand-Archive -Path winlogbeat.zip -DestinationPath "C:\Program Files"
Rename-Item "C:\Program Files\winlogbeat-8.17.0-windows-x86_64" "C:\Program Files\Winlogbeat"

Configure Winlogbeat

Edit C:\Program Files\Winlogbeat\winlogbeat.yml. Replace the Kafka hosts value with your appliance's EXTERNAL_KAFKA_LAN_HOST:

# ======================== Winlogbeat Configuration ============================

winlogbeat.event_logs:
  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - add_fields:
          target: host
          fields:
            name: ${COMPUTERNAME}

# ======================== Processors ==========================================

processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_fields:
      target: ''
      fields:
        host.hostname: ${COMPUTERNAME}

# ======================== Outputs =============================================

# Disable Elasticsearch output
output.elasticsearch:
  enabled: false

# Enable Kafka output
output.kafka:
  enabled: true
  hosts: ["<app-node>:29092"]   # <-- set to your App Node's EXTERNAL_KAFKA_LAN_HOST IP
  topic: "sysmon-logs"
  partition.round_robin:
    reachable_only: true
  required_acks: 1
  compression: gzip
  codec.json:
    pretty: false
    escape_html: false

# ======================== Logging =============================================

logging.level: info
logging.to_files: true
logging.files:
  path: C:\Program Files\Winlogbeat\logs
  name: winlogbeat
  keepfiles: 7
  permissions: 0640

Install and start the service

cd "C:\Program Files\Winlogbeat"
powershell -ExecutionPolicy Bypass -File .\install-service-winlogbeat.ps1
Start-Service winlogbeat
Get-Service winlogbeat

Get-Service winlogbeat should report Running. Within a minute or two the endpoint appears on the Logster Console (http://<app-node>:5001).

Endpoint not appearing on the console?

  • Confirm Sysmon is running on the endpoint and writing to its Microsoft-Windows-Sysmon/Operational log.
  • Confirm the endpoint can reach <EXTERNAL_KAFKA_LAN_HOST>:29092 (check firewalls between the endpoint and the appliance).
  • Check the Winlogbeat logs at C:\Program Files\Winlogbeat\logs for output errors.