Windows event logs, particularly logon and logon failure events, offer crucial insights into the security of Windows-based infrastructures, and can be effectively monitored and visualized using Winlogbeat and the Elastic stack. Winlogbeat, a lightweight shipper, facilitates the collection and forwarding of event log data to Elasticsearch or Logstash, and its version 5.0 enhances data filtering and aggregation by shipping raw event data. By configuring Winlogbeat to track security events and applying specific filters in Kibana, users can identify abnormal logon patterns that might indicate compromised credentials or unauthorized access attempts. Monitoring failed logons can help detect unauthorised access attempts and infrastructure issues, with Windows using event ID 4625 for such occurrences. Moreover, visualizing the geographic origin of remote logons, especially when using Remote Desktop connections, can uncover anomalies like unexpected access from unfamiliar locations, necessitating further investigation. The integration of GeoIP filters in Logstash enriches event data with location information, allowing for map-based visualizations in Kibana, and requires specific configurations to enhance the Elasticsearch index template used for Winlogbeat data.