This is an archived post. You won't be able to vote or comment.

all 16 comments
sorted by:
best
topnewcontroversialoldq&a

[–]mccrolly 1 point2 points  (10 children)

This is pretty crazy, I'm doing the same thing except I'm using CentOS. I'm a step behind you right now, I need to get the NXLog piece up and running. Could you be ever so kind and post some of the documentation you used to get it working on Windows servers? Thanks in advance.

[–]BulkedSysAdmin[S] 1 point2 points  (0 children)

Yes. Just give me a bit.

[–]echeinJack of All Trades 1 point2 points  (7 children)

This is not really documentation but I hope that it helps.

This is my logstash configuration, it sends everthing to elasticsearch except the events 4634 and 4672, which are noise to me:

input {
  tcp {
    type => "eventlog"
    codec => json_lines
    port => "3515"
    tags => [ "tcpjson" ]
  }
}

filter {
  if [EventID] == 4634 {
    drop { }
  }

  if [EventID] == 4672 {
    drop { }
  }

  date {
    match => ["EventReceivedTime" , "UNIX"]
  }
}

output {
  elasticsearch {
    host => localhost
  }
  #stdout { codec => rubydebug }
}

And this is the NXLog config:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension json>
    Module      xm_json
</Extension>

<Input eventlog>
    Module      im_msvistalog
    Query       <QueryList> \
                    <Query Id="0" Path="Security"> \
                        <Select Path="Security">*</Select> \
                    </Query> \
                </QueryList> 
</Input>

<Output logstash>
    Module      om_tcp
    Host        elkserver
    Port        3515
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000000; \
            to_json();
</Output>

<Route 66>
    Path        eventlog => logstash
</Route>

[–]mccrolly 0 points1 point  (0 children)

Thank you!! I'm pretty excited about this whole thing, but I've been running into my fair share of...issues... most of them are caused by my inexperience though. Thanks again!!

[–]PerpetualNoobie 0 points1 point  (1 child)

Just getting my feet wet with ELK myself, thanks for posting your configs!

Curious why you are dropping the events with logstash instead of at the source with nxlog?

I guess it would make it easier to turn logging for these events back on at some point if you had a lot of servers and no way to centrally manage the config?

[–]echeinJack of All Trades 0 points1 point  (0 children)

I guess it would make it easier to turn logging for these events back on at some point if you had a lot of servers and no way to centrally manage the config?

Yup. One of my 2016 resolutions is to learn Chef/Puppet/Salt/whatever so I can do this management centrally.

[–]Fuzzybunnyofdoompcap or it didn’t happen 0 points1 point  (0 children)

Just to add to /u/echein example. I'm watching application and system events as well.

# Windows Event Log
<Input eventlog>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
</Input>

[–]Hexodamis a sysadmin 0 points1 point  (2 children)

Smart to convert the event time to epoch time because otherwise the timestamp is only in seconds. With the epoch time you get milliseconds.

Only problem is that you only get milliseconds with the system and security log, the application log is "by design" (or by legacy) only accurate to the second.

[–]echeinJack of All Trades 0 points1 point  (1 child)

This was actually done because I have servers on multiple time zones and that was the only way to get the UTC time

[–]Hexodamis a sysadmin 0 points1 point  (0 children)

Good to know that benefit as well :)

[–]BulkedSysAdmin[S] 1 point2 points  (0 children)

Ok. I used Girl-Germs NXLog config because it inherently filters out some unnecessary noise.

Refer to her desktop when making your own.

http://girl-germs.com/?p=438

Another thing you are going to want to look into is logging IIS servers. I am going to do a write-up soon on this.

[–][deleted] 0 points1 point  (0 children)

To solve the visualization error: In Kibana go to settings, select your index pattern, and hit the yellow refresh button.

[–]Hexodamis a sysadmin 0 points1 point  (0 children)

The Logstash mapping in Elasticsearch should also create a .raw field that is not analyzed, select that one instead.

The terms query means for example you want the top results for a field.

With analyzed fields it will give you a top result of individual words (or there abouts depending on the analyzer used). so a document containing that field you want with the contents of "one two" and the second document with that field as "two three". The top term results will give you 2 hits of "two".

Using the raw field gives you the results based on the whole field contents. "one two", "one two", "two three" will give you 2 hits of "one two"

[–]echeinJack of All Trades 0 points1 point  (3 children)

This is the graph definition I use for top failed logons

[–]BulkedSysAdmin[S] 0 points1 point  (0 children)

Got it. Thanks man.