Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Monitoring for Windows Event Logs and the Untold Story of Proper ELK Integration (ubersec.com)
52 points by nreece on Dec 6, 2017 | hide | past | favorite | 4 comments


SysMon is the next step after changing the default audit policy.

https://github.com/MHaggis/sysmon-dfir

As of September 2017, v6.1 supports monitoring WMI subscribers.

https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-...

Unfortunately I can no longer point to a canonical "best practices" configuration as the original has been neglected; however it may serve as a starting point: https://github.com/SwiftOnSecurity/sysmon-config


Using Logstash, is it possible to queue events in case the machine in question temporarily loses network connectivity?


Yes. Newer versions of Logstash have an on-disk queue that will store events that haven't been ACK'd by ElasticSearch.

On the other side, every Beat (or nearly every Beat) can write to a messaging product like Kafka. That allows you to get logs off your client in the face of failures in either Logstash or ElasticSearch.


It should be, Logstash is just a message router, and this is one of the router's fundamental functions. Certainly this is true for Fluentd.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: