Collecting & analysing Windows event logs with Winlogbeat & ELK

Рет қаралды 11,126

Күн бұрын

In this video we’ll be using Winlogbeat to supplement the Security Onion sensor from the previous video with Windows event logs. This provides a single location for to collate, search and analyse windows events from multiple machines, and to correlate with network events. We also cover how to create a GPO to configure Winlogbeat automatically.
References:
Previous video on Security Onion: • Bootstrap your Network...
Winlogbeat configuration (inc. encryption): docs.securityonion.net/en/2.3...
Windows Event Log encyclopedia: www.ultimatewindowssecurity.c...
Timecodes:
0:00 Introduction
3:02 Sensor Setup
3:22 Single Client Setup
4:46 A Simple Search
6:36 Multi-Client Setup (via GPO)
8:20 Final Thoughts
Credits:
Intro/Outro Music: Render - Prism: • Render - Prism [Creati... (via Argofox: / argofox )
Diagram icons designed by OpenMoji (openmoji.org/) CC BY-SA 4.0

Пікірлер: 24

@INSAN3JAK3 2 жыл бұрын

Thanks mate! I am currently working on my Bachelor thesis, where I am using Security Onion in a test lab / virtual environment and running some Red Canary Atomic Tests against it. Your channel is vastly underrated! There are not many good video step by step tutorials out there when it comes to Security Onion! So yeah, thanks again mate! 🙏

@iven4843 Жыл бұрын

Damn, thanks for remembering me what actual video quality looks like!

@arunmehra49 Жыл бұрын

Your videos are really awesome, highly useful, easy to understand and practical.

@anonuser7795 2 жыл бұрын

Loving the videos man please keep it rolling!

@Manavetri Жыл бұрын

Top tier videos. Thank you for creating this content.

@vincegremillion1533 2 жыл бұрын

Thanks!! You helped be find a problem I had with forwarding to SO, I'll be looking more ar your resources.

@bacteria666 2 жыл бұрын

amazing video, congrats, I came here trying to find a way to create default dashboards

@VIPMakhana 9 ай бұрын

Thanks mate!

@aktharhussain1606 2 жыл бұрын

Awesome Thank you

@boolve 9 ай бұрын

I do like you enthusiasm. Well done. Carry on. Myself looking at those videos as a beginer security ethusiats, more simplistic approach are welsom for upcoming videos. thanks.

@theburtmacklin9615 3 жыл бұрын

Awesome video Andy! There are so many videos out there consist of high-level but ultimately un-actionable information / buzz words, meanwhile you deliver concrete actionable information. Super high-value content (which is so hard to find). Would you be into doing a video pushing DFIR agents (something like Velociraptor)?

@rot169 2 жыл бұрын

Thank you as always for your kind words! :-) I confess I'd not heard of Velociraptor before - but it looks like it'd make a great addition to this blue-focussed series, so have added it to the list - thanks!!

@toddmacqueen731 2 жыл бұрын

Thank you for this. I was struggling to get it working and it turns out I just missed a couple comment settings in the .yml. Your video solved it for me!

@rot169 2 жыл бұрын

You are most welcome - it's great to hear this helped you out! :-)

@harrieswanepoel9678 2 жыл бұрын

Great!!!

@shehzadarshad2000 2 жыл бұрын

Hi dud its really a nice video

@bilalbokhari 3 жыл бұрын

Good Stuff! Would love to hear more about your hardware setup to host vms

@rot169 3 жыл бұрын

I have a very modest VM host... a Ryzen 3550H 4C/8T mini-pc + 16GB RAM + 512MB NVMe, running ESXi 6.7. Not too expensive, runs cool & quiet, and doesn't consume a ton of electricity - yet still enough power for a handful of VMs (including SecOnion). The only time it's really struggled is when all my windows hosts decided to update at exactly the same time! Let me know if you'd like to see more detail - could be a good topic for a future video!!

@bilalbokhari 3 жыл бұрын

@@rot169 thank you so much! A video on this would be great. You have great content. Keep doing the excellent work!

@jonathanferriter4716 Жыл бұрын

I'm trying the GPO part, but I have to reboot each computer in order to get it to work. I get an error message in Even Viewer saying that the GPO failed to apply because the service wasn't an installed service. I know it's a year later but I'm hoping you can help me out! Great video!!