Active Directory Monitoring #1722
-
|
I'm attempting to set up some dashboards to monitor AD events such as logon/logoff, failed login attempts, group membership changes etc and I've found a few sites that explain how this is done in a normal ELK installation. I've successfully got Winlogbeats shipping the logs and I can see them reaching Security Onion. What I was wondering is what files I should be modifying when documentation regarding ELK makes mention to logstash.yml and so on? For reference this is one of the docs I'm following: https://www.syspanda.com/index.php/2018/05/03/monitoring-active-directory-elk/ It is making a bunch of mutate and filters to cut down the events and change the message. Is there a pillar file or something I should be modifying? I've looked through the docs but can't really find anything towards that. Just on the topic of host log shipping is there a "best" method for it? I see we can do it with Wazuh, Winlogbeat or Osquery and was just wondering if there is a method that is preferred by SO or anything like that. I'm open to anything. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
If you use WLB/Wazuh/Osquery for shipping, the parsing is already builtin for Windows Eventlogs. Do you see the Windows Eventlogs in Hunt / Kibana? Are there fields that are not being parsed out correct? |
Beta Was this translation helpful? Give feedback.
-
|
Yep I do see the logs coming through. I was mainly interested in the way they are using the 'mutate' to change the messages to a short, easily readable string. |
Beta Was this translation helpful? Give feedback.
-
|
I would filter/mutate on the winlogbeat side. That way you are not even sending the events you don't want. https://www.elastic.co/guide/en/beats/winlogbeat/current/filtering-and-enhancing-data.html |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @TOoSmOotH that makes sense, I’ll give that a whirl. Long term development wise would there be any plans to incorporate some AD monitoring? I’m attempting to build up some dashboards on my own and struggling but I’m sure I’ll get there eventually. I’m thinking logon/logoff, failed logon attempts, group membership changes, user modifications etc. |
Beta Was this translation helpful? Give feedback.
-
|
@defensivedepth One correction about the fields coming from Winlogbeat. The IP address of the agent does not appear to be coming through correctly. My test agent has multiple NICs and the host.ip field is showing ip, mac, ip, mac, ip, mac etc. Not sure if that’s just a WLB thing. |
Beta Was this translation helpful? Give feedback.
If you use WLB/Wazuh/Osquery for shipping, the parsing is already builtin for Windows Eventlogs.
Do you see the Windows Eventlogs in Hunt / Kibana? Are there fields that are not being parsed out correct?