Add data winlogbeat (#36014) (#36359)

* Add data tutorial for Windows Event Log

src/legacy/core_plugins/kibana/common/tutorials/winlogbeat_instructions.js

@@ -0,0 +1,237 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { i18n } from '@kbn/i18n';
+import { INSTRUCTION_VARIANT } from './instruction_variant';
+import { createTrycloudOption1, createTrycloudOption2 } from './onprem_cloud_instructions';
+import { getSpaceIdForBeatsTutorial } from '../lib/get_space_id_for_beats_tutorial';
+
+export const createWinlogbeatInstructions = context => ({
+  INSTALL: {
+    WINDOWS: {
+      title: i18n.translate('kbn.common.tutorials.winlogbeatInstructions.install.windowsTitle', {
+        defaultMessage: 'Download and install Winlogbeat',
+      }),
+      textPre: i18n.translate('kbn.common.tutorials.winlogbeatInstructions.install.windowsTextPre', {
+        defaultMessage: 'First time using Winlogbeat? See the [Getting Started Guide]({winlogbeatLink}).\n\
+ 1. Download the Winlogbeat Windows zip file from the [Download]({elasticLink}) page.\n\
+ 2. Extract the contents of the zip file into {folderPath}.\n\
+ 3. Rename the {directoryName} directory to `Winlogbeat`.\n\
+ 4. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select \
+**Run As Administrator**). If you are running Windows XP, you might need to download and install PowerShell.\n\
+ 5. From the PowerShell prompt, run the following commands to install Winlogbeat as a Windows service.',
+        values: {
+          directoryName: '`winlogbeat-{config.kibana.version}-windows`',
+          folderPath: '`C:\\Program Files`',
+          winlogbeatLink: '{config.docs.beats.winlogbeat}/winlogbeat-getting-started.html',
+          elasticLink: 'https://www.elastic.co/downloads/beats/winlogbeat',
+        },
+      }),
+      commands: [
+        'cd "C:\\Program Files\\Winlogbeat"',
+        '.\\install-service-winlogbeat.ps1',
+      ],
+      textPost: i18n.translate('kbn.common.tutorials.winlogbeatInstructions.install.windowsTextPost', {
+        defaultMessage: 'Modify the settings under `output.elasticsearch` in the {path} file to point to your Elasticsearch installation.',
+        values: { path: '`C:\\Program Files\\Winlogbeat\\winlogbeat.yml`' },
+      }),
+    }
+  },
+  START: {
+    WINDOWS: {
+      title: i18n.translate('kbn.common.tutorials.winlogbeatInstructions.start.windowsTitle', {
+        defaultMessage: 'Start Winlogbeat',
+      }),
+      textPre: i18n.translate('kbn.common.tutorials.winlogbeatInstructions.start.windowsTextPre', {
+        defaultMessage: 'The `setup` command loads the Kibana dashboards. If the dashboards are already set up, omit this command.',
+      }),
+      commands: [
+        '.\\winlogbeat.exe setup',
+        'Start-Service winlogbeat',
+      ],
+    },
+  },
+  CONFIG: {
+    WINDOWS: {
+      title: i18n.translate('kbn.common.tutorials.winlogbeatInstructions.config.windowsTitle', {
+        defaultMessage: 'Edit the configuration',
+      }),
+      textPre: i18n.translate('kbn.common.tutorials.winlogbeatInstructions.config.windowsTextPre', {
+        defaultMessage: 'Modify {path} to set the connection information:',
+        values: {
+          path: '`C:\\Program Files\\Winlogbeat\\winlogbeat.yml`',
+        },
+      }),
+      commands: [
+        'output.elasticsearch:',
+        '  hosts: ["<es_url>"]',
+        '  username: "elastic"',
+        '  password: "<password>"',
+        'setup.kibana:',
+        '  host: "<kibana_url>"',
+        getSpaceIdForBeatsTutorial(context)
+      ],
+      textPost: i18n.translate('kbn.common.tutorials.winlogbeatInstructions.config.windowsTextPost', {
+        defaultMessage: 'Where {passwordTemplate} is the password of the `elastic` user, {esUrlTemplate} is the URL of Elasticsearch, \
+and {kibanaUrlTemplate} is the URL of Kibana.',
+        values: {
+          passwordTemplate: '`<password>`',
+          esUrlTemplate: '`<es_url>`',
+          kibanaUrlTemplate: '`<kibana_url>`',
+        },
+      }),
+    }
+  }
+});
+
+export const createWinlogbeatCloudInstructions = () => ({
+  CONFIG: {
+    WINDOWS: {
+      title: i18n.translate('kbn.common.tutorials.winlogbeatCloudInstructions.config.windowsTitle', {
+        defaultMessage: 'Edit the configuration',
+      }),
+      textPre: i18n.translate('kbn.common.tutorials.winlogbeatCloudInstructions.config.windowsTextPre', {
+        defaultMessage: 'Modify {path} to set the connection information for Elastic Cloud:',
+        values: {
+          path: '`C:\\Program Files\\Winlogbeat\\winlogbeat.yml`',
+        },
+      }),
+      commands: [
+        'cloud.id: "{config.cloud.id}"',
+        'cloud.auth: "elastic:<password>"'
+      ],
+      textPost: i18n.translate('kbn.common.tutorials.winlogbeatCloudInstructions.config.windowsTextPost', {
+        defaultMessage: 'Where {passwordTemplate} is the password of the `elastic` user.',
+        values: { passwordTemplate: '`<password>`' },
+      }),
+    }
+  }
+});
+
+export function winlogbeatStatusCheck() {
+  return {
+    title: i18n.translate('kbn.common.tutorials.winlogbeatStatusCheck.title', {
+      defaultMessage: 'Module status',
+    }),
+    text: i18n.translate('kbn.common.tutorials.winlogbeatStatusCheck.text', {
+      defaultMessage: 'Check that data is received from Winlogbeat',
+    }),
+    btnLabel: i18n.translate('kbn.common.tutorials.winlogbeatStatusCheck.buttonLabel', {
+      defaultMessage: 'Check data',
+    }),
+    success: i18n.translate('kbn.common.tutorials.winlogbeatStatusCheck.successText', {
+      defaultMessage: 'Data successfully received',
+    }),
+    error: i18n.translate('kbn.common.tutorials.winlogbeatStatusCheck.errorText', {
+      defaultMessage: 'No data has been received yet',
+    }),
+    esHitsCheck: {
+      index: 'winlogbeat-*',
+      query: {
+        bool: {
+          filter: {
+            term: {
+              'agent.type': 'winlogbeat',
+            },
+          },
+        },
+      },
+    },
+  };
+}
+
+export function onPremInstructions(platforms, context) {
+  const WINLOGBEAT_INSTRUCTIONS = createWinlogbeatInstructions(context);
+
+  return {
+    instructionSets: [
+      {
+        title: i18n.translate('kbn.common.tutorials.winlogbeat.premInstructions.gettingStarted.title', {
+          defaultMessage: 'Getting Started',
+        }),
+        instructionVariants: [
+          {
+            id: INSTRUCTION_VARIANT.WINDOWS,
+            instructions: [
+              WINLOGBEAT_INSTRUCTIONS.INSTALL.WINDOWS,
+              WINLOGBEAT_INSTRUCTIONS.CONFIG.WINDOWS,
+              WINLOGBEAT_INSTRUCTIONS.START.WINDOWS,
+            ],
+          },
+        ],
+        statusCheck: winlogbeatStatusCheck(),
+      },
+    ],
+  };
+}
+
+export function onPremCloudInstructions() {
+  const TRYCLOUD_OPTION1 = createTrycloudOption1();
+  const TRYCLOUD_OPTION2 = createTrycloudOption2();
+  const WINLOGBEAT_INSTRUCTIONS = createWinlogbeatInstructions();
+
+  return {
+    instructionSets: [
+      {
+        title: i18n.translate('kbn.common.tutorials.winlogbeat.premCloudInstructions.gettingStarted.title', {
+          defaultMessage: 'Getting Started',
+        }),
+        instructionVariants: [
+          {
+            id: INSTRUCTION_VARIANT.WINDOWS,
+            instructions: [
+              TRYCLOUD_OPTION1,
+              TRYCLOUD_OPTION2,
+              WINLOGBEAT_INSTRUCTIONS.INSTALL.WINDOWS,
+              WINLOGBEAT_INSTRUCTIONS.CONFIG.WINDOWS,
+              WINLOGBEAT_INSTRUCTIONS.START.WINDOWS,
+            ],
+          },
+        ],
+        statusCheck: winlogbeatStatusCheck(),
+      },
+    ],
+  };
+}
+
+export function cloudInstructions() {
+  const WINLOGBEAT_INSTRUCTIONS = createWinlogbeatInstructions();
+  const WINLOGBEAT_CLOUD_INSTRUCTIONS = createWinlogbeatCloudInstructions();
+
+  return {
+    instructionSets: [
+      {
+        title: i18n.translate('kbn.common.tutorials.winlogbeat.cloudInstructions.gettingStarted.title', {
+          defaultMessage: 'Getting Started',
+        }),
+        instructionVariants: [
+          {
+            id: INSTRUCTION_VARIANT.WINDOWS,
+            instructions: [
+              WINLOGBEAT_INSTRUCTIONS.INSTALL.WINDOWS,
+              WINLOGBEAT_CLOUD_INSTRUCTIONS.CONFIG.WINDOWS,
+              WINLOGBEAT_INSTRUCTIONS.START.WINDOWS,
+            ],
+          },
+        ],
+        statusCheck: winlogbeatStatusCheck(),
+      },
+    ],
+  };
+}

src/legacy/core_plugins/kibana/public/home/components/tutorial/replace_template_strings.js

@@ -54,7 +54,8 @@ export function replaceTemplateStrings(text, params = {}) {
           filebeat: documentationLinks.filebeat.base,
           metricbeat: documentationLinks.metricbeat.base,
           heartbeat: documentationLinks.heartbeat.base,
-          functionbeat: documentationLinks.functionbeat.base
+          functionbeat: documentationLinks.functionbeat.base,
+          winlogbeat: documentationLinks.winlogbeat.base,
         },
         logstash: documentationLinks.logstash.base,
         version: DOC_LINK_VERSION

src/legacy/core_plugins/kibana/server/tutorials/register.js

@@ -57,6 +57,7 @@ import { memcachedMetricsSpecProvider } from './memcached_metrics';
 import { muninMetricsSpecProvider } from './munin_metrics';
 import { vSphereMetricsSpecProvider } from './vsphere_metrics';
 import { windowsMetricsSpecProvider } from './windows_metrics';
+import { windowsEventLogsSpecProvider } from './windows_event_logs';
 import { golangMetricsSpecProvider } from './golang_metrics';
 import { logstashMetricsSpecProvider } from './logstash_metrics';
 import { prometheusMetricsSpecProvider } from './prometheus_metrics';
@@ -111,6 +112,7 @@ export function registerTutorials(server) {
   server.registerTutorial(muninMetricsSpecProvider);
   server.registerTutorial(vSphereMetricsSpecProvider);
   server.registerTutorial(windowsMetricsSpecProvider);
+  server.registerTutorial(windowsEventLogsSpecProvider);
   server.registerTutorial(golangMetricsSpecProvider);
   server.registerTutorial(logstashMetricsSpecProvider);
   server.registerTutorial(prometheusMetricsSpecProvider);

src/legacy/core_plugins/kibana/server/tutorials/windows_event_logs/index.js

@@ -0,0 +1,60 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { i18n }  from '@kbn/i18n';
+import { TUTORIAL_CATEGORY } from '../../../common/tutorials/tutorial_category';
+import { onPremInstructions, cloudInstructions, onPremCloudInstructions } from '../../../common/tutorials/winlogbeat_instructions';
+
+export function windowsEventLogsSpecProvider(server, context) {
+  return {
+    id: 'windowsEventLogs',
+    name: i18n.translate('kbn.server.tutorials.windowsEventLogs.nameTitle', {
+      defaultMessage: 'Windows Event Log',
+    }),
+    isBeta: false,
+    category: TUTORIAL_CATEGORY.SECURITY,
+    shortDescription: i18n.translate('kbn.server.tutorials.windowsEventLogs.shortDescription', {
+      defaultMessage: 'Fetch logs from the Windows Event Log.',
+    }),
+    longDescription: i18n.translate('kbn.server.tutorials.windowsEventLogs.longDescription', {
+      defaultMessage: 'Use Winlogbeat to collect the logs from the Windows Event Log. \
+[Learn more]({learnMoreLink}).',
+      values: {
+        learnMoreLink: '{config.docs.beats.winlogbeat}/index.html',
+      },
+    }),
+    euiIconType: 'logoWindows',
+    artifacts: {
+      application: {
+        label: i18n.translate('kbn.server.tutorials.windowsEventLogs.artifacts.application.label', {
+          defaultMessage: 'SIEM App',
+        }),
+        path: '/app/siem'
+      },
+      dashboards: [],
+      exportedFields: {
+        documentationUrl: '{config.docs.beats.winlogbeat}/exported-fields.html'
+      }
+    },
+    completionTimeMinutes: 10,
+    onPrem: onPremInstructions(null, null, null, context),
+    elasticCloud: cloudInstructions(),
+    onPremElasticCloud: onPremCloudInstructions()
+  };
+}

src/legacy/ui/public/documentation_links/documentation_links.ts

@@ -49,6 +49,9 @@ export const documentationLinks = {
   functionbeat: {
     base: `${ELASTIC_WEBSITE_URL}guide/en/beats/functionbeat/${DOC_LINK_VERSION}`,
   },
+  winlogbeat: {
+    base: `${ELASTIC_WEBSITE_URL}guide/en/beats/winlogbeat/${DOC_LINK_VERSION}`,
+  },
   aggs: {
     date_histogram: `${ELASTIC_DOCS}search-aggregations-bucket-datehistogram-aggregation.html`,
     date_range: `${ELASTIC_DOCS}search-aggregations-bucket-daterange-aggregation.html`,