This post is all about windows logging with winlogbeat and sysmon in place to collect all the important logs possible.
Without getting into details about the installation of ELK stack I will get started with the installation of services and configuring the server to process that logs. Here is the link for installation script for ELK stack:- http://snehpatel.com/index.php/shell-script-for-elk-installation/
First, let’s start with setting up the server for getting logs. To be specific adding configuration file for logstash, as we will be sending logs straight to logstash.
Note: All configuration tested on Centos. Make sure to set proper iptables settings to allow the port to get logs.
- Create new file in folder called /etc/logstash/conf.d/
nano /etc/logstash/conf.d/windowslog.conf- Note: Make sure you have the config path included in the logstash configuration.
- Include the following configuration and save the file.
input {
beats {
port => 5044
}
}
# The filter part of this file is commented out to indicate that it
# is optional.
# filter {
#
# }
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}- Restart the logstash services.
sudo systemctl restart logstashNow its time for windows client settings. Let’s start with the installation of sysmon. Sysmon is a windows tool to enable event logging.
Follow the steps to enable sysmon on your windows client.
- Download sysmon from the following link : https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- Unzip the package and move it to C:\Program Files
- Rename the folder to “sysmon”
- Open the command prompt with administrator privileges and go to that directory
- Enter the following command to install sysmon
Sysmon.exe -i -n -accepteula- Check-in services to make sure the service is running
Now let’s go through with installation on winlogbeat services
- Download winlogbeat from the following link: https://www.elastic.co/downloads/beats/winlogbeat
- Unzip it and rename the folder to “winlogbeat”, now move it to following location C:\Program Files
- Open Powershell with administrator privileges and change directory to the winlogbeat folder
- And run the following command :
.\install-service-winlogbeat.ps1NOTE:- execution of the script will be restricted in PowerShell by default. Below are the following commands that will help.
Get-ExecutionPolicy -listSet-ExecutionPolicy -Scope "CurrentUser" -ExecutionPolicy "RemoteSigned"- Now open winlogbeat.yml in a text editor and remove all configuration.
- Copy following configuration
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- name: Microsoft-Windows-Sysmon/Operational
processors:
- script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
setup.template.settings:
index.number_of_shards: 1
setup.dashboards.enabled: true
setup.kibana:
host: "172.16.1.250:5601"
output.logstash:
hosts: ["172.16.1.250:5044"]
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~- Make sure to change the IP addresses of kibana and logstash
- Now go to services and restart sysmon and winlogbeat service
There we go now, you will see the dashboard and index automatically added on to kibana
References:
- https://silentbreaksecurity.com/windows-events-sysmon-elk/
- http://snehpatel.com/index.php/shell-script-for-elk-installation/
- https://community.sophos.com/kb/en-us/134205
- https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-configuration.html