{"id":50539714,"url":"https://github.com/bitranox/winlogbeat_installer","last_synced_at":"2026-06-03T19:30:40.386Z","repository":{"id":357579834,"uuid":"1237546099","full_name":"bitranox/winlogbeat_installer","owner":"bitranox","description":"PowerShell installer for Elastic Winlogbeat on Windows that keeps winlogbeat.yml in a stable location and auto-reconfigures the service after every MSI upgrade.","archived":false,"fork":false,"pushed_at":"2026-05-13T10:24:15.000Z","size":19,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-13T12:30:07.470Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bitranox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-13T09:29:15.000Z","updated_at":"2026-05-13T10:23:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bitranox/winlogbeat_installer","commit_stats":null,"previous_names":["bitranox/winlogbeat_installer"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/bitranox/winlogbeat_installer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitranox%2Fwinlogbeat_installer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitranox%2Fwinlogbeat_installer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitranox%2Fwinlogbeat_installer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitranox%2Fwinlogbeat_installer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bitranox","download_url":"https://codeload.github.com/bitranox/winlogbeat_installer/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitranox%2Fwinlogbeat_installer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33876893,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-03T02:00:06.370Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-03T19:30:39.712Z","updated_at":"2026-06-03T19:30:40.369Z","avatar_url":"https://github.com/bitranox.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Winlogbeat Installer\n\nSelf-contained installer for Elastic Winlogbeat on Windows that **eliminates\nthe need to manually copy `winlogbeat.yml` after every MSI upgrade**.\n\n## What it does\n\n1. Installs (or upgrades) **Winlogbeat** via `winget` (`Elastic.Winlogbeat`).\n2. Deploys `winlogbeat.yml` to a **stable location** outside the versioned\n install dir: `C:\\Program Files\\Elastic\\Beats\\winlogbeat.yml`.\n **Existing configs are preserved** by default - see\n [Config file behavior](#config-file-winlogbeatyml-behavior) below.\n3. Deploys the maintenance script `Fix-WinlogbeatService.ps1` next to it.\n4. Registers a **scheduled task** that fires whenever the MSI installer\n reports a successful product install (Application log, source `MsiInstaller`,\n event ID `1033`). The task re-points the service's `binPath` at the stable\n config and the newest installed version dir.\n5. Runs the maintenance script once to apply the binPath immediately.\n6. If the config file was just (re)deployed, restarts the service so the\n new config is loaded into the running process.\n7. Verifies everything is wired up.\n8. On full success, deletes old versioned install dirs under\n `C:\\Program Files\\Elastic\\Beats\\` (opt-out via `-KeepOldVersions`).\n\n## Why\n\nThe Elastic Winlogbeat MSI installs into versioned dirs\n(`C:\\Program Files\\Elastic\\Beats\\\u003cver\u003e\\winlogbeat\\`) and re-registers the\n`winlogbeat` Windows service with all paths pointing into that versioned dir\non every upgrade. Out of the box that means you must copy `winlogbeat.yml`\ninto the new dir after every upgrade or the service won't find its config.\n\nThis installer breaks that cycle by:\n\n- Keeping the config (and `data/`, `logs/`) at a path that never changes.\n- Auto-reapplying the service `binPath` after each MSI upgrade.\n\n## Requirements\n\n- **Windows** with **PowerShell** (5.1+; the installer uses cmdlets present\n in both Windows PowerShell and PowerShell 7).\n- **`winget`** (App Installer) - shipped with current Windows 10/11.\n- **Elevation required.** All steps need administrator rights. Both scripts\n start with `#Requires -RunAsAdministrator`; PowerShell refuses to run them\n in a non-elevated session with a clear error message.\n\n## Files in this directory\n\n| File | Purpose |\n|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `install.ps1` | The installer / orchestrator. Run elevated. |\n| `winlogbeat.yml` | **Sample** seed config tailored for **Graylog** (Beats input on port 5044, TLS off) and **Windows 11**. Adjust the `output.logstash.hosts` target and event log selection for your environment. Copied to `C:\\Program Files\\Elastic\\Beats\\winlogbeat.yml` only on fresh installs (or with `-ForceConfigOverwrite`). To change shipper behavior on a machine that already has it deployed, edit the deployed copy directly. |\n| `Fix-WinlogbeatService.ps1` | Idempotent maintenance script that re-points the service. Deployed alongside the config. |\n| `check_config.ps1` | Standalone validator. Runs `winlogbeat.exe test config` (and `test output`) against the deployed config — or a path you supply. Read-only, no admin required. |\n| `README.md` | This file. |\n\n## Usage\n\nOpen an **elevated** PowerShell in this directory.\n\n### First install (or full re-run)\n\n```powershell\n.\\install.ps1\n```\n\n### Pin a specific version\n\n```powershell\n.\\install.ps1 -Version 9.4.1\n```\n\n### Re-deploy script + scheduled task without touching winget\n\n```powershell\n.\\install.ps1 -SkipWinget\n```\n\n### Keep old version dirs (skip cleanup)\n\n```powershell\n.\\install.ps1 -KeepOldVersions\n```\n\nBy default, after verification passes, the installer removes every\n`\u003cver\u003e` dir under `C:\\Program Files\\Elastic\\Beats\\` that isn't the\ncurrently active version. Pass `-KeepOldVersions` to retain them.\n\nThe installer is **idempotent** - it's safe to re-run any time.\n\n## What the sample `winlogbeat.yml` collects\n\nThe bundled config is a security + reliability baseline tuned for **Windows 11\nclients** shipping to **Graylog**. It enables the following event log channels:\n\n| Channel | Filter | What it catches |\n|--------------------------------------------------------------------------|---------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `Security` | curated event IDs (see below) | Logon/logoff, account \u0026 group changes, AD activity, privilege use, process creation, service install, scheduled tasks, audit policy \u0026 log clear, Kerberos, file share access, credential manager, recon |\n| `Application` | `critical, error, warning` | .NET runtime crashes, Windows Error Reporting (1000/1001), Application Hang (1002), MSI install failures, app-specific errors |\n| `System` | `critical, error, warning` | Service start failures (7000/7001/7011/7034), driver load issues, disk errors (event 7/11/51 — pre-failure signals), time-sync, boot issues |\n| `Microsoft-Windows-PowerShell/Operational` | IDs 4103-4106, level `information, warning` | Module logging, script block logging (including Warning-level suspicious-script alerts) |\n| `Microsoft-Windows-Windows Defender/Operational` | all levels | Detections (Warning), engine errors (Error), signature updates |\n| `Microsoft-Windows-Sysmon/Operational` | all (requires Sysmon installed) | Process tree, network connections, file/registry/image-load activity — depends on your Sysmon config |\n| `Microsoft-Windows-TaskScheduler/Operational` | all | Task registration / run / completion detail (complements Security 4698) |\n| `Microsoft-Windows-TerminalServices-LocalSessionManager/Operational` | all | RDP session lifecycle (IDs 21/22/23/24/25) — who used RDP |\n| `Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational` | all | RDP inbound source IP (ID 1149) |\n| `Microsoft-Windows-WMI-Activity/Operational` | all | WMI persistence (T1546.003), lateral movement (T1047) |\n| `Microsoft-Windows-Bits-Client/Operational` | all | BITS abuse for download/exfiltration (T1197) |\n| `Microsoft-Windows-CodeIntegrity/Operational` | `critical, error, warning` | Driver / binary signing failures, WDAC violations |\n| `Microsoft-Windows-PrintService/Operational` | all | PrintNightmare-class abuse (driver load) |\n| `Microsoft-Windows-AppLocker/EXE and DLL` + `MSI and Script` | all | Blocked executions (only emits when AppLocker is configured) |\n| `Setup` | `critical, error, warning` | Servicing / feature install issues |\n\n### Security event IDs included\n\nThe `Security` channel is **not** set to \"everything\" - it ships a curated set\nthat aligns with the NSA \"Spotting the Adversary\" / Palantir WEF baselines:\n\n- **Logon:** `4624, 4625, 4634, 4647, 4648, 4672, 4778, 4779`\n- **Privilege use:** `4673, 4674`\n- **Process tracking:** `4688, 4689`\n- **Service install:** `4697`\n- **Scheduled tasks:** `4698, 4699, 4702`\n- **Audit policy / log integrity:** `4719, 4964, 1102`\n- **Account management:** `4720, 4722-4726, 4738, 4740, 4767, 4781`\n- **Group management:** `4727-4731, 4732-4735, 4737, 4741-4743, 4756-4758`\n- **Kerberos:** `4768, 4769, 4771, 4772, 4776`\n- **Recon (local group enum):** `4798, 4799`\n- **File share access:** `5140, 5145`\n- **Object ACL changes:** `4670`\n- **Credential Manager:** `5379`\n\n### Sample config knobs you'll commonly want to change\n\nThe settings below are the ones that are environment-specific. They're easy to\nspot in the file (search by section header):\n\n| Where | Setting | Default in sample | When to change |\n|------------------------------------------------|-------------------------------------------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------|\n| `output.logstash.hosts` | Graylog Beats input host:port | `graylog.yourdomain.fqdn:5044` | **Always** - point at your Graylog server. Sample is a placeholder. |\n| `output.logstash` | TLS | off (no `ssl.*` keys) | If your Graylog Beats input requires TLS, add an `ssl.*` block — see Elastic docs |\n| `fields.environment` | env tag for routing | `prod` | Set to `dev` / `test` / etc. — surfaces as `environment` at the event root |\n| `fields.site` | location tag | `vienna-dc` | Set to your site identifier — useful for multi-site dashboards |\n| `processors` (drop_event for 4624/4634) | drops `LogonType: 3` (network) and `LogonType: 5` (service) | enabled | **Remove these blocks on servers / DCs** — network logons are the most interesting events there. They're noise on clients. |\n| `winlogbeat.event_logs[Security].event_id` | curated list | ~55 IDs | Add more (e.g. `5136` for AD object changes on DCs) or trim. Don't use `\"*\"` — drowns Graylog. |\n| `winlogbeat.event_logs[*].ignore_older` | starts from N hours ago on first run | `24h` | Increase if you want to backfill on first start; decrease to ignore old events after a long shipper outage |\n| `queue.mem` | in-memory event buffer | 4096 events | Increase on busy hosts; decrease on memory-constrained boxes |\n| `logging.files.rotateeverybytes` | local log rotation | 10 MB × 7 files | Adjust to fit available disk under `C:\\Program Files\\Elastic\\Beats\\logs\\` |\n| `setup.ilm.enabled` / `setup.template.enabled` | Elasticsearch index management | both `false` | Leave `false` for Graylog (Graylog manages its own indices). Set `true` only if shipping straight to Elasticsearch. |\n\n### TLS to Graylog\n\nThe sample assumes TLS is **off** on the Graylog Beats input. To enable TLS,\nadd under `output.logstash`:\n\n```yaml\nssl.enabled: true\nssl.certificate_authorities: [\"C:/Program Files/Elastic/Beats/ca.crt\"]\nssl.verification_mode: full\n```\n\n…and configure the matching cert chain on the Graylog side.\n\n## Config file (`winlogbeat.yml`) behavior\n\nThe installer is conservative about your config so that re-runs and\npost-upgrade fixes never silently clobber your edits:\n\n| Destination state | `-ForceConfigOverwrite`? | What happens |\n|--------------------------------------------------------------------------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|\n| **No `winlogbeat.yml`** at `C:\\Program Files\\Elastic\\Beats\\` (fresh box) | (irrelevant) | Bundled `winlogbeat.yml` is **copied**, then service is **restarted** to load it |\n| `winlogbeat.yml` already exists | not passed (default) | **Skipped, existing file kept** -\u003e `[WARN] ... leaving it untouched`. Service is **not restarted** (no change to load). |\n| `winlogbeat.yml` already exists | passed | Existing file backed up to `winlogbeat.yml.bak.\u003ctimestamp\u003e`, bundled file is copied, service is **restarted** so the new config is loaded. |\n\nSo:\n\n- **Edit the deployed file** (`C:\\Program Files\\Elastic\\Beats\\winlogbeat.yml`)\n freely - re-running `install.ps1` will not touch it.\n- The **bundled** `winlogbeat.yml` (in this project dir) is the seed only.\n Update it if you want a new fresh-install template; it does not push your\n changes to existing installs.\n- The **maintenance script** (`Fix-WinlogbeatService.ps1`), and therefore\n the scheduled task that fires after every MSI upgrade, never touches the\n config either - it only edits the service `binPath`.\n\nTo force-replace an existing config with the bundled one:\n\n```powershell\n.\\install.ps1 -ForceConfigOverwrite\n```\n\n## Future upgrades\n\nOnce installed, you don't need this installer again to upgrade:\n\n```powershell\nwinget upgrade --id Elastic.Winlogbeat\n```\n\nWithin ~30 seconds the scheduled task fires, runs the maintenance script,\nand the service is back to using the stable config from the new version dir.\nThe maintenance script then waits up to 30 s for the service to reach\n`Running`, and **only on success** removes the previous versioned install\ndirs under `C:\\Program Files\\Elastic\\Beats\\`. If the new service fails to\nstart, the old version dirs are kept for diagnosis / manual rollback.\n\n\u003e **Opt out of automatic cleanup:** the maintenance script also accepts\n\u003e `-KeepOldVersions`. Since the scheduled task invokes the script without\n\u003e arguments, the way to make the post-upgrade flow keep old dirs is to\n\u003e edit the scheduled task's action and append `-KeepOldVersions` to the\n\u003e `-File` argument (or replace the deployed script with a wrapper).\n\n## What gets created on the system\n\n| Path | Contents |\n|------------------------------------------------------------|-------------------------------------------------|\n| `C:\\Program Files\\Elastic\\Beats\\winlogbeat.yml` | Stable config |\n| `C:\\Program Files\\Elastic\\Beats\\Fix-WinlogbeatService.ps1` | Maintenance script |\n| `C:\\Program Files\\Elastic\\Beats\\data\\` | Stable shipper state (event registry, lockfile) |\n| `C:\\Program Files\\Elastic\\Beats\\logs\\` | Stable beat logs |\n| `C:\\Program Files\\Elastic\\Beats\\\u003cver\u003e\\winlogbeat\\` | Versioned install dir (managed by winget/MSI) |\n| Scheduled task `Fix-WinlogbeatService-OnMsiInstall` | Auto-reconfig trigger |\n| Service `winlogbeat` (binPath rewritten) | Reads stable config |\n\n## Verification\n\nThe installer runs a verification pass at the end. To re-check at any time:\n\n```powershell\n# Service status\nGet-Service winlogbeat\n\n# Service binPath\nsc.exe qc winlogbeat | Select-String BINARY_PATH_NAME\n\n# Scheduled task health\nGet-ScheduledTaskInfo -TaskName Fix-WinlogbeatService-OnMsiInstall\n\n# Run the maintenance script manually (idempotent)\n\u0026 \"C:\\Program Files\\Elastic\\Beats\\Fix-WinlogbeatService.ps1\"\n```\n\n### Validating the config (`check_config.ps1`)\n\n`check_config.ps1` runs `winlogbeat.exe test config` and `test output`\nagainst a config file using the newest installed `winlogbeat.exe`. It uses\na private temp `--path.data` so it never disturbs the running service's\nregistry / lockfile, and it does **not** require admin rights.\n\n```powershell\n# Check the deployed stable config (default)\n.\\check_config.ps1\n\n# Check the bundled config in this directory before deploying\n.\\check_config.ps1 -Bundled\n\n# Check an arbitrary file\n.\\check_config.ps1 -ConfigPath C:\\tmp\\test.yml\n\n# Skip the output reachability test (doesn't try to talk to Graylog)\n.\\check_config.ps1 -SkipOutputTest\n```\n\nExit code `0` = all checks passed, `1` = one or more failed.\n\n## Uninstall\n\n```powershell\n# Stop and remove the service via winget\nwinget uninstall --id Elastic.Winlogbeat\n\n# Remove the scheduled task\nUnregister-ScheduledTask -TaskName Fix-WinlogbeatService-OnMsiInstall -Confirm:$false\n\n# Optional: remove stable config and state\nRemove-Item -Recurse -Force \"C:\\Program Files\\Elastic\\Beats\\winlogbeat.yml\",\n \"C:\\Program Files\\Elastic\\Beats\\Fix-WinlogbeatService.ps1\",\n \"C:\\Program Files\\Elastic\\Beats\\data\",\n \"C:\\Program Files\\Elastic\\Beats\\logs\"\n```\n\n## Notes / caveats\n\n- **Run elevated.** All write operations target `C:\\Program Files\\` and modify\n service configuration; the installer enforces this with `#Requires -RunAsAdministrator`.\n- **PowerShell 5.1 compatibility.** The maintenance script is loaded via\n `powershell.exe -File`, which uses Windows PowerShell 5.1. Keep it ASCII-only\n - non-ASCII characters in a UTF-8-without-BOM file will trigger a parser\n error.\n- **Stale version dirs.** `winget`/MSI does not remove old versioned install\n dirs under `C:\\Program Files\\Elastic\\Beats\\`. The installer cleans them up\n automatically after a successful verification (pass `-KeepOldVersions` to\n opt out). The maintenance script always picks the highest version that\n matches `^\\d+\\.\\d+\\.\\d+$`, so cleanup never affects what the service runs.\n- **Scheduled task trigger** fires on **any** MSI install on the system, not\n just Winlogbeat upgrades. The maintenance script is idempotent: if nothing\n changed, it's a fast no-op.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitranox%2Fwinlogbeat_installer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbitranox%2Fwinlogbeat_installer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitranox%2Fwinlogbeat_installer/lists"}