Building a One-Click Windows Event Log Monitoring Stack with ELK + Grafana

Ever spent hours trying to set up proper Windows Event Log monitoring? I did. So I built a solution that deploys a complete ELK + Grafana stack in under 5 minutes. Here's how.

🎯 TL;DR

`git clone https://github.com/SecByShresth/Windows-ELK-Monitoring-Stack.git
cd Windows-ELK-Monitoring-Stack
.\oneclick-setup.ps1  # Run as Administrator
.\winlogbeat\install-winlogbeat.ps1  # Install log collector`

Result: Full Windows Event Log monitoring with Elasticsearch, Kibana, Logstash, and Grafana running locally.

🤔 The Problem

Windows Event Log monitoring shouldn't be this hard:

• ❌ ELK stack setup takes hours
• ❌ SSL certificate generation is complex
• ❌ Winlogbeat configuration is confusing
• ❌ No pre-built Windows dashboards
• ❌ Multiple moving parts to coordinate

What we want:

run-script.ps1 → monitoring stack ready ✅

🛠️ The Solution Architecture

┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
│   Winlogbeat    │───▶│    Logstash      │───▶│ Elasticsearch   │
│ (Event Collector)│    │ (Port 5044)      │    │ (Port 9200)     │
└─────────────────┘    └──────────────────┘    └─────────────────┘
                                │                        │
                                ▼                        ▼
┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
│    Grafana      │    │     Kibana       │    │   HTTP Only     │
│ (Port 3000)     │    │ (Port 5601)      │    │ (Local Dev)     │
└─────────────────┘    └──────────────────┘    └─────────────────┘

Tech Stack:

• 🔍 Elasticsearch 8.11.2 (storage & search)
• 📊 Kibana 8.11.2 (log exploration)
• 🔄 Logstash 8.11.2 (log processing)
• 📈 Grafana Latest (dashboards)
• 📥 Winlogbeat 8.15.1 (log collection)
• 🐳 Docker (containerization)
• ⚡ PowerShell (automation)
• 🚀 Quick Start Guide

## Check PowerShell version (need 5.1+)

$PSVersionTable.PSVersion

## Verify Docker Desktop is running

docker version

1. Clone and Setup

git clone https://github.com/SecByShresth/Windows-ELK-Monitoring-Stack.git
cd Windows-ELK-Monitoring-Stack

## Set execution policy if needed

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

2. Run One-Click Setup

.\oneclick-setup.ps1

What the script does:

• ✅ Generates .env with random passwords
• ✅ Checks Docker availability
• ✅ Starts ELK + Grafana containers
• ✅ Waits for services to be ready
• ✅ Provides access URLs

3. Install Winlogbeat

.\winlogbeat\install-winlogbeat.ps1

This will:

• Download Winlogbeat 8.15.1
• Install to C:\Program Files\winlogbeat
• Configure for Application, System, Security logs
• Register as Windows service
• Start collecting logs immediately

1. Access Your Stack

Kibana: http://localhost:5601 — Log search & analysis

Grafana: http://localhost:3000 — Dashboards & monitoring

Elasticsearch: http://localhost:9200 — Raw API access

🔥 What Makes This Special

Zero-Configuration Deployment

.\oneclick-setup.ps1

Smart PowerShell Automation

Generates random passwords:

function RandStr($len=20) {
    $bytes = New-Object 'Byte[]' $len
    [System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
    [System.Convert]::ToBase64String($bytes) -replace '[^a-zA-Z0-9]', 'A'
}

Waits for services to be ready:

for ($i = 0; $i -lt 60; $i++) {
    try {
        $resp = Invoke-RestMethod -Uri 'http://localhost:9200/_cluster/health'
        if ($resp.status) { break }
    } catch { Start-Sleep -Seconds 5 }
}

Pre-Configured Everything

• 📋 Kibana index patterns ready
• 🎨 Grafana datasources auto-provisioned
• 🔍 Logstash pipeline configured for Windows logs
• 📊 Sample dashboards included

Docker Compose Magic

services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.11.2
    environment:
      - xpack.security.enabled=false
      - discovery.type=single-node
    ports:
      - 9200:9200

  kibana:
    image: docker.elastic.co/kibana/kibana:8.11.2
    depends_on:
      - elasticsearch
    ports:
      - 5601:5601

📁 Project Structure

windows-elk-monitoring-stack/
├── oneclick-setup.ps1              # Main setup script
├── docker-compose.yml              # Container orchestration
├── .env.example                    # Config template
├── grafana/
│   ├── dashboards/                 # Pre-built dashboards
│   └── provisioning/               # Auto-configuration
├── logstash/
│   └── pipeline/winlog.conf        # Windows log processing
├── winlogbeat/
│   ├── install-winlogbeat.ps1      # Collector installer
│   └── winlogbeat.template.yml     # Log collection config
└── README.md                        # Full documentation

🎨 What You'll See

Kibana Discovery:

winlog.event_id: 4625  # Failed logons
winlog.event_data.Level: "Error"  # Application errors
@timestamp >= now-1h and winlog.channel: "System"  # Recent system events

Grafana Dashboards:

• Windows Events Overview
• Security Event Monitoring
• System Health Alerts
• Application Error Tracking

🔧 Advanced Usage

Custom Log Sources

winlogbeat.event_logs:
  - name: Application
  - name: System  
  - name: Security
  - name: Microsoft-Windows-PowerShell/Operational
  - name: Microsoft-Windows-Sysmon/Operational

Logstash Processing

input {
  beats { port => 5044 }
}

filter {
  if [winlog][event_id] == 4625 {
    mutate { add_tag => [ "failed_login" ] }
  }
}

output {
  elasticsearch {
    hosts => ["http://elasticsearch:9200"]
    index => "winlogbeat-%{+YYYY.MM.dd}"
  }
}

🚨 Important Security Notes

• ⚠️ This setup is for LOCAL DEVELOPMENT/TESTING. For production:
• Enable Elasticsearch X-Pack security
• Configure SSL/TLS certificates
• Change default passwords
• Implement proper authentication
• Network segmentation

🐛 Troubleshooting

Docker not running:

docker version

Port conflicts:

netstat -ano | findstr ":9200"
netstat -ano | findstr ":5601"
netstat -ano | findstr ":3000"

Winlogbeat not collecting:

Get-Service winlogbeat
Get-Content "C:\Program Files\winlogbeat\logs\winlogbeat"
Restart-Service winlogbeat

🎯 Performance & Resource Usage

Minimum Requirements:

• 💾 4GB RAM (8GB recommended)
• 💿 5GB disk space
• 🖥️ Windows 10/11 or Server 2016+

Expected Usage:

• Elasticsearch: ~512MB RAM
• Kibana: ~200MB RAM
• Logstash: ~300MB RAM
• Grafana: ~100MB RAM
• Winlogbeat: ~50MB RAM

🔮 Future Enhancements

• SSL/TLS support with auto-generated certificates
• Additional pre-built security dashboards
• Sysmon integration templates
• Multi-host centralized logging
• Alert rule templates
• Performance monitoring dashboards

🎉 Community & Contributions

Found this useful?

• ⭐ Star the repository
• 🔄 Share with your network
• 🐛 Report issues on GitHub
• 💡 Contribute improvements

Connect with me:

Profile: - https://secbyshresth.github.io/Portfolio/

🏁 Conclusion

Windows Event Log monitoring doesn't have to be complicated. With this one-click solution, you get:

• ✅ Complete ELK + Grafana stack in 5 minutes
• ✅ Automated Windows Event Log collection
• ✅ Pre-configured dashboards and index patterns
• ✅ Docker containerization for easy management
• ✅ PowerShell automation for Windows environments

Perfect for development, testing, incident response, or small-scale production monitoring.

Repository & Resources:

GitHub: https://github.com/SecByShresth/Windows-ELK-Monitoring-Stack

Quick Start:

git clone https://github.com/SecByShresth/Windows-ELK-Monitoring-Stack.git
cd Windows-ELK-Monitoring-Stack  
.\oneclick-setup.ps1

Stack Access:

• Kibana: http://localhost:5601
• Grafana: http://localhost:3000
• Elasticsearch: http://localhost:9200