Nybble Security Analytics: Onboard a Windows
Winlogbeat is the agent to install on a Windows to onboard it.
Before you begin
Connect to Nybble Hub at the Settings section to:
- download the Winlogbeat package: it contains software + configuration files
- grab your client short name: it will be used in network rules.
Winlogbeat installation
Winlogbeat itself has no sizing requirements: it's a lightweight agent (less than 2% CPU).
- Extract the contents of winlogbeat-package into C:\Program Files.
- Rename the winlogbeat-
directory to Winlogbeat. - Open a PowerShell prompt as an Administrator (right-click on the PowerShell icon and select Run As Administrator).
- From the PowerShell prompt, run the following commands to install the service.
PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat' PS C:\Program Files\Winlogbeat> .\nybble-install-service-winlogbeat.ps1 Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\Program Files\Winlogbeat\nybble-install-service-winlogbeat.ps1? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R Status Name DisplayName ------ ---- ----------- Stopped winlogbeat winlogbeat
Note
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run.
Example: powershell.exe -ExecutionPolicy unrestricted -file .\nybble-install-service-winlogbeat.ps1
Network rules
Winlogbeat agent requires following network rule to communicate with Nybble's servers:
Source | Destination | Protocol | Usage |
---|---|---|---|
winlogbeat server | <clientshortname>-kafka-bootstrap.nybble-analytics.io <clientshortname>-kafka-broker-[0-9].nybble-analytics.io |
TCP 9094 | Event sending |