Collecting & analysing Windows event logs with Winlogbeat & ELK
Vložit
- čas přidán 30. 07. 2024
- In this video we’ll be using Winlogbeat to supplement the Security Onion sensor from the previous video with Windows event logs. This provides a single location for to collate, search and analyse windows events from multiple machines, and to correlate with network events. We also cover how to create a GPO to configure Winlogbeat automatically.
References:
Previous video on Security Onion: • Bootstrap your Network...
Winlogbeat configuration (inc. encryption): docs.securityonion.net/en/2.3...
Windows Event Log encyclopedia: www.ultimatewindowssecurity.c...
Timecodes:
0:00 Introduction
3:02 Sensor Setup
3:22 Single Client Setup
4:46 A Simple Search
6:36 Multi-Client Setup (via GPO)
8:20 Final Thoughts
Credits:
Intro/Outro Music: Render - Prism: • Render - Prism [Creati... (via Argofox: / argofox )
Diagram icons designed by OpenMoji (openmoji.org/) CC BY-SA 4.0 - Věda a technologie
Thanks mate! I am currently working on my Bachelor thesis, where I am using Security Onion in a test lab / virtual environment and running some Red Canary Atomic Tests against it.
Your channel is vastly underrated! There are not many good video step by step tutorials out there when it comes to Security Onion!
So yeah, thanks again mate! 🙏
Damn, thanks for remembering me what actual video quality looks like!
Your videos are really awesome, highly useful, easy to understand and practical.
Loving the videos man please keep it rolling!
Top tier videos. Thank you for creating this content.
Thanks!! You helped be find a problem I had with forwarding to SO, I'll be looking more ar your resources.
amazing video, congrats, I came here trying to find a way to create default dashboards
Thanks mate!
I do like you enthusiasm. Well done. Carry on. Myself looking at those videos as a beginer security ethusiats, more simplistic approach are welsom for upcoming videos. thanks.
Awesome Thank you
Great!!!
Thank you for this. I was struggling to get it working and it turns out I just missed a couple comment settings in the .yml. Your video solved it for me!
You are most welcome - it's great to hear this helped you out! :-)
Awesome video Andy! There are so many videos out there consist of high-level but ultimately un-actionable information / buzz words, meanwhile you deliver concrete actionable information. Super high-value content (which is so hard to find).
Would you be into doing a video pushing DFIR agents (something like Velociraptor)?
Thank you as always for your kind words! :-) I confess I'd not heard of Velociraptor before - but it looks like it'd make a great addition to this blue-focussed series, so have added it to the list - thanks!!
Hi dud its really a nice video
Good Stuff! Would love to hear more about your hardware setup to host vms
I have a very modest VM host... a Ryzen 3550H 4C/8T mini-pc + 16GB RAM + 512MB NVMe, running ESXi 6.7. Not too expensive, runs cool & quiet, and doesn't consume a ton of electricity - yet still enough power for a handful of VMs (including SecOnion). The only time it's really struggled is when all my windows hosts decided to update at exactly the same time! Let me know if you'd like to see more detail - could be a good topic for a future video!!
@@rot169 thank you so much! A video on this would be great. You have great content. Keep doing the excellent work!
I'm trying the GPO part, but I have to reboot each computer in order to get it to work. I get an error message in Even Viewer saying that the GPO failed to apply because the service wasn't an installed service. I know it's a year later but I'm hoping you can help me out! Great video!!
Were you able to run logstash on eval mode? I cannot enable it.
I make this same mistake first time! Eval mode doesn't start a logstash service; you have to install SecOnion in 'Standalone' mode!
@@rot169 Thanks for replying, yes it works on standalone now :) Man security onion is a very broad technology had to learn a lot. keep posting :D
Haha yeah it's a great little distro! There's certainly more SecOnion-related stuff on the way 👍🏽