A Simple Basic Security for Windows
Ming-der Wang
ming@log4analytics.com
安裝 winlogbeat
安裝 1 - 直接到 Elasticsearch
winlogbeat -> ( Elasticsearch -> Kibana )
步驟一. 下載安裝 winlogbeat
安裝 Winlogbeat 1.3.1 for ELK 4x
(for ELK 5x 版, 安裝 5.0.0)
.\install-service-winlogbeat.ps1
步驟二. 修改 winlogbeat.yml
設定檔
winlogbeat.event_logs: - name: Application - name: Security - name: System output.elasticsearch: hosts: - <ELK_IP_NAME>:9200 logging.to_files: true logging.files: path: C:/ProgramData/winlogbeat/Logs logging.level: info
步驟三. 手動執行 winlogbeat
winlogbeat -c winlogbeat.yml
winlogbeat.yml 範例,可以在 gist下載
步驟四. 啓動 winlogbeat
Start-Service winlogbeat
安裝 2 - 透過 Logstash
winlogbeat -> ( Logstash -> Elasticsearch -> Kibana )
testing
PS C:\Program Files\Winlogbeat> Get-EventLog *
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
20,480 0 OverwriteAsNeeded 3,024 Application
20,480 0 OverwriteAsNeeded 0 HardwareEvents
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
20,480 0 OverwriteAsNeeded 5,179 Security
20,480 0 OverwriteAsNeeded 3,684 System
15,360 0 OverwriteAsNeeded 157 Windows PowerShell
manually run winlogbeat.exe
PS C:\Program Files\Winlogbeat> ./winlogbeat.exe -c ./winlogbeat.yml
check with your ELK
winlogbeat-*
PC system security logs
安裝過程也被 log 到了
references:
Secure Your Windows Server with Winlogbeat
By Ming-der Wang
