Sending Windows Events to SO and analyze them #10065
-
|
Dear all, I have a windows server and all other servers send their events to this server (subscription). So this server stores all windows logs in its event viewer. I like to send all events viewer logs to SO and analyze/filter them there. I installed the OSquery which I downloaded from my SO server (standalone install, latest version, updated yesterday). I allowed IP of the windows server for OSquery with so-allow. I don't get any logs on SO. I don't know what else should I do on Windows to configure it. I see my SO IP in the config file already. Is there any other way to forward windows events? Could you please guide me? Thank you so much. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
The easiest way to forward Windows logs into a Security Onion instance is with Winlogbeat. Here's a video walking through the process: https://www.youtube.com/watch?v=Xz-7oDrZdQY |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your answer @InfosecGoon I will try that. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you @InfosecGoon. I managed to forward events to SO. Are there any special settings for forwarded events? I see local events of the server forwarded and categorized according to event.dataset name I entered on the config file but not the forwarded events. |
Beta Was this translation helpful? Give feedback.
The easiest way to forward Windows logs into a Security Onion instance is with Winlogbeat.
Here's a video walking through the process: https://www.youtube.com/watch?v=Xz-7oDrZdQY